Posted on: January 29, 2009 at 12:00 AM
PHP SQL Injection Attack
PHP SQL Injection Attack refers to the act of someone insert a MySQL statement to be run on your database with your knowledge. Injection usually occurs when a user ask for input like names and instead of name they give you a MySQL statement unknowingly run on your database.
Understand with Example
The Tutorial illustrate an example from PHP SQL Injection Attack. To understand and grasp the example we create a table 'Stu' with required fieldnames and datatypes respectively.
Create Table Stu :
CREATE TABLE `stu` (
`id` int(11) NOT NULL auto_increment,
`name` varbinary(10) default NULL,
`class` int(11) default '12',
PRIMARY KEY (`id`)
)
|
Insert.php:
The Insert.php include a html page that is used to submit the records from a user and add the records on the click submit button to the table 'stu' of database. Sometimes the attacker could get access a lot of information they don't have, the attack can be worst.
<html>
<body ">
<form method="post" action="insert.php"
style="border: 1px solid #000000;
width :230px; margin-top:
50px;margin-left: 70px;
padding:20px 20px 20px 20px;
background-color: #F5F5FF;">
<table cellpadding="5">
<tr >
<td>Name</td>
<td> </td>
<td><input type="text" name="name"></td>
</tr>
<tr>
<td>Class</td>
<td> </td>
<td><input type="text" name="class"></td>
</tr>
<tr>
<td> </td>
<td> </td>
<td><input type="submit" name="submit" value="Submit"></td>
</tr>
</table>
</form>
<div style="border: 1px solid #000000;
width :230px; margin-top:
50px;margin-left: 70px;
padding:20px 20px 20px 20px ;
background-color: #F5F5FF;">
<?php
$host = "localhost";
$user = "root";
$password = "root";
$database = "komal";
$connection = mysql_connect($host,$user,$password)
or die("Could not connect: ".mysql_error());
$connection1 = mysql_connect($host,$user,$password)
or die("Could not connect: ".mysql_error());
mysql_select_db($database,$connection)
or die("Error in selecting the database:".mysql_error());
if (isset($_POST['name'])) {
$name=$_POST["name"];
$class=$_POST["class"];
$sql="insert into stu(name,class)
values('".$name."',".$class.")";
mysql_query($sql,$connection)
or exit("Sql Error".mysql_error());
mysql_close($connection);
}
$sql="Select * from stu";
$sql_result=mysql_query($sql,$connection1)
or exit("Sql Error".mysql_error());
$sql_num=mysql_num_rows($sql_result);
echo "<table width=\"100%\">";
echo "<tr>";
echo "<td ><b>Id</b></td><td><b>Name</b></td>
<td><b>Class</b></td>";
echo "</tr>";
while($sql_row=mysql_fetch_array($sql_result))
{
$id=$sql_row["id"];
$name=$sql_row["name"];
$class=$sql_row["class"];
echo "<tr><td>".$id."</td>";
echo "<td>".$name."</td>";
echo "<td>".$class."</td></tr>";
}
echo "</table>";
mysql_close($connection1);
?>
</div>
</body>
</html>
Ourtput
|
- MySQL Injection
- PHP SQL Injection Attack
- PHP SQL Injection Example
- PHP SQL Injection
- PHP SQL Injection Attack
- PHP SQL Injection Example
- MySQL Injection
- PHP SQL Injection
- PHP SQL Injection Example
- SQL injection
- What's an SQL injection?
- PHP SQL Injection Example
- XSS attack
- php sql problem - SQL
- spring injection
- php
- SQL PHP Where
- php
- PHP SQL close connection
- SQL injunctions - SQL
If you are facing any programming issue, such as compilation errors or not able to find the code you are looking for.
Ask your questions, our development team will try to give answers to your questions.
Ask Questions? Discuss: PHP SQL Injection Attack
Post your Comment