Injection through php

Question

<?php
$username=$_POST['user'];
$password=$_POST['pass'];
if($username=='admin' AND $password=='pass'){
echo "inside";
}
?>
<form action='' method='post'>

    <input name=user>
    <input name=pass>
    <input type='submit'>

</form>

As i'm new to php and i'm studying about sql injection...i have made a sample code where there is no sql queries,i just want to get inside printed... i am trying with user value and password value as ""==""OR""...but it is not working...if i try with this echo var_dump(""==""OR""=='admin'); it is giving true

First. I would check to see if you're getting the data you want to get in your post. Try echoing that first before putting it inside your if statement. A good practice when getting data from a form is to check if anything is posted at all. You can check this using: ` if(isset($POST["user]) { ..do something }` Your logic is fine so it must be your values that you're posting that are incorrect. — PerrinPrograms, May 19 '17 at 17:47
**Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, May 19 '17 at 18:10

score 0 · Answer 1 · answered May 19 '17 at 18:09

Let's say you have this code (Just an example to give idea)

Method 1 (NEVER RECOMMENDED)

<?php
    $username=$_POST['user'];
    $password=$_POST['pass'];
    $sql = "SELECT * FROM users WHERE username LIKE '".$_POST['user']."'";
    //Execute the query
?>
<form action='' method='post'>
    <input name=user>
    <input name=pass>
    <input type='submit'>
</form>

Now this is vulnerable to SQL injection. If a user inputs

abc'; DROP TABLE users;

This query will be rendered as

"SELECT * FROM users WHERE username LIKE 'abc'; DROP TABLE users";

Now there are two queries first it performs SELECT then it performs DROP hence at the end your users table is dropped.

Method 2 (Prepared Statements RECOMMENDED)

<?php
    $username=$_POST['user'];
    $password=$_POST['pass'];
    $stmt = $mysqli->prepare("SELECT * FROM users WHERE username LIKE ?");
    $stmt->bind_param("s", $_POST['user']);
    $stmt->execute();
    //Execute the query
?>
<form action='' method='post'>
    <input name=user>
    <input name=pass>
    <input type='submit'>
</form>

Now at line $stmt->$mysqli->prepare() in simple words, it will go to MySQL and tell that there is a query coming with a parameter. Then bind_param will go and registers itself to MySQL as a parameter only. And thus executes.

I cannot write in more simpler words. Hope you get the idea!

score 0 · Answer 2 · answered May 19 '17 at 18:34

The best way to see your injection within your script is to "output" your input with no "cleaning". This is typically the fastest way (and how most vulnerability scanners check for injection ability) to see the security issue present. Therefore I would recommend, if you WANT to see security issues for your study, adding the user entered values to the page. Try updating your code to this, (Notice this is very insecure and should not be used in production, but should suffice for your injection study).

<?php
$username=$_POST['user'];
$password=$_POST['pass'];
if($username=='admin' AND $password=='pass'){
echo "inside";
}
?>
<form action='' method='post'>

    <input name="user" value="<?php echo $username; ?>">
    <input name="pass" value="<?php echo $password; ?>">
    <input type='submit'>

    <p>PHP:  <?php echo $_SERVER['PHP_SELF']; ?></p>
</form>

I also added the "$_SERVER['PHP_SELF']" call to demonstrate the injection possible with that PHP variable. If you run "OWASP ZAP" or "OpenVAS" or "Nessus" and you should see it describe the injection vulnerabilities for your study.

Please let me know if you have any questions, Thanks!

Injection through php

2 Answers2