Sql injection using php
Question
I'm trying to use SQL Injection on my local server.
My Script is:
$query="SELECT * FROM tbl_admin WHERE admin_name ='".$uname."' AND admin_password ='".$pwd."'";
Now when I'm using admin' OR '1'='1'"; # in name my query becomes
SELECT * FROM tbl_admin WHERE admin_name ='admin' OR '1'='1'"; #' AND admin_password ='*****'
When I check this query till 1 it is working fine. But not working in script.
I'm not getting quotes issue. Can anyone help me?
2 answers
solution1
3 2014-03-20 10:52:53
I think the information in your question is wrong:
SELECT * FROM tbl_admin WHERE admin_name ='".$uname."' AND
putting in admin' OR '1'='1'"; # makes it:
SELECT * FROM tbl_admin WHERE admin_name ='admin' OR '1'='1'"; #' AND
Which is wrong (PHP) syntax because of the final double-quote " .
If you put in ' OR 1=1;-- , output is compliant to the PHP syntax:
SELECT * FROM tbl_admin WHERE admin_name ='' OR 1=1;--' AND
Update:
Due to invalid edits of the original question, my answer does not fit to the rolled back revision.
solution2
-2
use this function mysql_real_escape_string in your query so avoid sql injection.
Recommend to use MySqli extension for better security.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.