我正在尝试执行SQL注入(SQLi)。
我的表格是:
<form action="<?php echo $_SERVER["PHP_SELF"];?>" method="POST">
<table>
<tr>
<td>Nama Properti</td>
<td>:</td>
<td>
<input type="text" name="property_name">
</td>
<td>
<?php if(isset($errors)) echo "<p class='errlog'>" . $errors . "</p>"; ?>
</td>
</tr>
<tr>
<td></td>
<td>:</td>
<td>
<input type="submit" name="submit-form" value="Kirim" >
</td>
</tr>
</table>
</form>
我的动作是:
<?php
if (isset($_POST["submit-form"])) {
if (!empty($_POST["property_name"])) {
$mysqli = new mysqli("127.0.0.1", "root", "", "belajar");
if ($mysqli->connect_errno) {
echo "Failed to connect to MySQL: " . $mysqli->connect_error;
exit();
}
$property_name = $_POST["property_name"];
echo $property_name; // produce 'x'); DROP TABLE kelas_lain;--
$sql = "INSERT INTO kelas_lain (property_name) VALUES (". $property_name .")";
echo "<br>" . $sql; // produce INSERT INTO kelas_lain (property_name) VALUES ('x'); DROP TABLE kelas_lain;--)
if ($sql_query = $mysqli->query($sql)) {
echo "<p class='successlog'>Success !</p>";
echo "Returned rows are: " . $sql_query->num_rows;
$sql_query->free_result();
}else{
echo "<p class='errlog'>There is an error with SQL !</p>";
}
$mysqli->close();
}else{
$errors = "Mohon Isi Form !";
}
}
?>
我通过输入用户表单传递了此'x'); DROP TABLE kelas_lain;--
,但是却收到错误echo "<p class='errlog'>There is an error with SQL !</p>";
而不是成功执行了此命令INSERT INTO kelas_lain (property_name) VALUES ('x'); DROP TABLE kelas_lain;--)
,该命令会删除kelas_lain表。
我做了echo $sql;
它显示了:
INSERT INTO kelas_lain(property_name)VALUES('x');删除表kelas_lain;-)
而且我认为一切正确。
其他
虽然我通过将查询传递给URL成功完成(SQLi)。
传递的查询为:index.php?id = siswalogin的SELECT密码,其中id = 1这是代码:
<?php
/*
* Check if the 'id' GET variable is set
*/
if (isset($_GET['id'])){
$id = htmlspecialchars($_GET['id']);
/* Setup the connection to the database */
$mysqli = new mysqli('localhost', 'root', '', 'belajar');
/* Check connection before executing the SQL query */
if ($mysqli->connect_errno) {
printf("Connect failed: %s\n", $mysqli->connect_error);
exit();
}
/* SQL query vulnerable to SQL injection */
$sql = "SELECT username
FROM siswalogin
WHERE id = $id";
/* Select queries return a result */
if ($result = $mysqli->query($sql)) {
while($obj = $result->fetch_object()){
print($obj->username);
}
echo "<br>" . $id; // = 1 UNION SELECT password FROM siswalogin where id=1
}
/* If the database returns an error, print it to screen */
elseif($mysqli->error){
print($mysqli->error);
}
}
?>
出于安全原因(尤其是SQL注入),mysqli_query()
函数不支持执行多个SQL语句。