I'm trying to use SQL Injection on my local server.
My Script is:
$query="SELECT * FROM tbl_admin WHERE admin_name ='".$uname."' AND admin_password ='".$pwd."'";
Now when I'm using admin' OR '1'='1'"; # in name my query becomes
SELECT * FROM tbl_admin WHERE admin_name ='admin' OR '1'='1'"; #' AND admin_password ='*****'
When I check this query till 1 it is working fine. But not working in script.
I'm not getting quotes issue. Can anyone help me?
2 Answers 2
I think the information in your question is wrong:
SELECT * FROM tbl_admin WHERE admin_name ='".$uname."' AND
putting in admin' OR '1'='1'"; # makes it:
SELECT * FROM tbl_admin WHERE admin_name ='admin' OR '1'='1'"; #' AND
Which is wrong (PHP) syntax because of the final double-quote ".
If you put in ' OR 1=1;--, output is compliant to the PHP syntax:
SELECT * FROM tbl_admin WHERE admin_name ='' OR 1=1;--' AND
Update:
Due to invalid edits of the original question, my answer does not fit to the rolled back revision.
answered Mar 20, 2014 at 10:52
2 Comments
Carsten
Somebody botched up the bad username in an edit. The original value which the OP posted was
admin' OR '1'='1'"; #, which would correctly inject the OR '1'='1' clause. Could you please edit your answer accordingly?Daniel W.
@Carsten I rolled the question back to the original code, thx for the hint
use this function mysql_real_escape_string in your query so avoid sql injection.
Recommend to use MySqli extension for better security.
1 Comment
Sergey Telshevsky
Please read questions and not blindly answer because of the familiar words you have seen in it.
default
OR '1'='1'"; #, pass' OR 1=1;--in the injection, it won't work if you dont close the first quote ofadmin_name='.