Search code examples
phpsqlsql-injection

SQL Injection parameters aren't working on my page

I have a login form and I'm confused why my SQL Injection parameters doesn't work in here. I don't have any function or method for preventing the SQL Injection.

I made this login form for the testing of SQL injection and it's written in PHP. Here is my code.

<?php
    include("myconnection.php");

    $error="";
    if(isset($_POST["submit"]))
    {
        if($_POST["username"] == '' || $_POST["password"]== '')
        {
            $error='Please fill the blanks!';

        }else
        {

            $username=$_POST['username'];
            $password=$_POST['password'];

            $sql="SELECT * FROM users WHERE username='$username' AND password='$password'";
            $result=mysqli_query($db,$sql);
            $row=mysqli_fetch_array($result,MYSQLI_ASSOC);

            if(mysqli_num_rows($result)==1)
            {
                $login_user=$_POST["$username"];    
                header("location: myhome.php");
                $error="Connected";

            }
            else
            {

            //$error="Incorrect Username/Password";
              $message="Incorrect Credentials";
              echo "<script='text/javascript'>$message</script>";

            }

        }
    }
    else
    {


    }

?>

I tried admin'OR'1'='1 in both username and password fields and any other possible basic injections but it doesn't work. I tried using the basic sql injection in most of working sites and it works, I'm just confused my my code doesnt accept sql injections.

And it gives me the same echo when you have an incorrect credentials.

this

Solution

  • I hope this is done for academic purposes as I have no idea why you would ever want to have this in any production websites. That being said it is probably because of the AND needing to also be true for the query to return any results. Where as if you had submitted admin'OR'1'='1 in the username field your query would look like

    SELECT * FROM users WHERE username='admin'OR'1'='1' AND password='123'

    That reads to me as WHERE username equals admin OR 1 equals 1 AND password equals 123. You would probably need to figure out how to also bypass that check as it will try to match password field still and vice versa the username field.

    Seems odd to say but if you wanted to inject something maybe this would work in the username field injection' OR 1 LIMII 1# Which would make something like this

    SELECT * FROM users WHERE username = 'injection' OR 1 LIMIT 1#' AND password = 'pass'

    Essentially you are already injecting SQL, you are just not doing it in such a way that is yielding the results you want. Try echoing the query and running it directly in the mySQL CLI to see what the result set is and if it is a valid query. Maybe play around with the query there to try and obtain your intended injection.