I'm trying to use SQL Injection on my local server.
My Script is:
$query="SELECT * FROM tbl_admin WHERE admin_name ='".$uname."' AND admin_password ='".$pwd."'";
Now when I'm using admin' OR '1'='1'"; #
in name my query becomes
SELECT * FROM tbl_admin WHERE admin_name ='admin' OR '1'='1'"; #' AND admin_password ='*****'
When I check this query till 1 it is working fine. But not working in script.
I'm not getting quotes issue. Can anyone help me?
2 Answers 2
I think the information in your question is wrong:
SELECT * FROM tbl_admin WHERE admin_name ='".$uname."' AND
putting in admin' OR '1'='1'"; #
makes it:
SELECT * FROM tbl_admin WHERE admin_name ='admin' OR '1'='1'"; #' AND
Which is wrong (PHP) syntax because of the final double-quote "
.
If you put in ' OR 1=1;--
, output is compliant to the PHP syntax:
SELECT * FROM tbl_admin WHERE admin_name ='' OR 1=1;--' AND
Update:
Due to invalid edits of the original question, my answer does not fit to the rolled back revision.
2 Comments
admin' OR '1'='1'"; #
, which would correctly inject the OR '1'='1'
clause. Could you please edit your answer accordingly?use this function mysql_real_escape_string in your query so avoid sql injection.
Recommend to use MySqli extension for better security.
OR '1'='1'"; #
, pass' OR 1=1;--
in the injection, it won't work if you dont close the first quote ofadmin_name='
.