skip to Main Content

I have this code:

if(isset($_POST['submit'])) {
    $name = $_POST['name'];


$query = mysqli_query($conn, "select name from accounts where name = '{$name}'");
if($query) {
   echo "success";
} else {
    echo "error";
}
}
?>



 <form action="" method="post">
                Name: <input type="text" name="name"><br><br>
                <input type="submit" name="submit" value="Add">
</form>

And I have written this in the form and submitted, only return (error), and the table was not deleted.
enter image description here

2

Answers


  1. For example, if you will send like such request:

    1';DROP table accounts where id!='123454321344321
    

    For reason request encoding, you can use + sign instead of spaces.
    I am writing an example with PHP simulate $name argument:

    
    //That's a mean it is request variable
    $name = "1';DROP table accounts where id!='123454321344321";
    $query = mysqli_query($conn, "select name from accounts where name = '{$name}'");
    if($query) {
       echo "success";
    } else {
        echo "error";
    }
    
    Login or Signup to reply.
  2. For mysqli, multiple statements or multi queries must be executed with mysqli::multi_query()

    So change

    $query = mysqli_query($conn, "select name from accounts where name = '{$name}'");
    

    to

    $query = mysqli_multi_query($conn, "select name from accounts where name = '{$name}'");
    

    then retry what you want in your own machine.

    Of course, usually hacker will just gain privilege by logging as "admin" and then do whatever he/she wants (in that case just performing single query in a select statement thru a SQL attack will do and do not need to execute multi-queries)

    [additional point]

    For single query SQL attack, submit the following:

    1}' or 1=1 or '{1=1

    which will become:

    select name from accounts where name='{1}' or 1=1 or '{1=1}'
    

    or

    1}' or name='admin' or '{1=1

    which will become:

    select name from accounts where name='{1}' or name='admin' or '{1=1}'
    

    Hence, to avoid SQL attacks, please use parameterized prepared statements.
    For details, you may refer to :

    php mysqli prepared statements select

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search