SQL Injection parameters aren't working on my page

Question

I have a login form and I'm confused why my SQL Injection parameters doesn't work in here. I don't have any function or method for preventing the SQL Injection.

I made this login form for the testing of SQL injection and it's written in PHP. Here is my code.

<?php
    include("myconnection.php");

    $error="";
    if(isset($_POST["submit"]))
    {
        if($_POST["username"] == '' || $_POST["password"]== '')
        {
            $error='Please fill the blanks!';

        }else
        {

            $username=$_POST['username'];
            $password=$_POST['password'];

            $sql="SELECT * FROM users WHERE username='$username' AND password='$password'";
            $result=mysqli_query($db,$sql);
            $row=mysqli_fetch_array($result,MYSQLI_ASSOC);

            if(mysqli_num_rows($result)==1)
            {
                $login_user=$_POST["$username"];    
                header("location: myhome.php");
                $error="Connected";

            }
            else
            {

            //$error="Incorrect Username/Password";
              $message="Incorrect Credentials";
              echo "<script='text/javascript'>$message</script>";

            }

        }
    }
    else
    {


    }

?>

I tried admin'OR'1'='1 in both username and password fields and any other possible basic injections but it doesn't work. I tried using the basic sql injection in most of working sites and it works, I'm just confused my my code doesnt accept sql injections.

And it gives me the same echo when you have an incorrect credentials.

Can you have it echo back the generated sql as well? You should be able to manually run it and see the expected results. — jrasm91, May 19 '18 at 02:19
My guess is that `if(mysqli_num_rows($result)==1)` is returning false, as `1=1` is resulting in **all** rows being returned, and not just 1. — Sean, May 19 '18 at 02:51

Aaron Lamar · Accepted Answer · 2018-05-19T03:03:03.483

I hope this is done for academic purposes as I have no idea why you would ever want to have this in any production websites. That being said it is probably because of the AND needing to also be true for the query to return any results. Where as if you had submitted admin'OR'1'='1 in the username field your query would look like

SELECT * FROM users WHERE username='admin'OR'1'='1' AND password='123'

That reads to me as WHERE username equals admin OR 1 equals 1 AND password equals 123. You would probably need to figure out how to also bypass that check as it will try to match password field still and vice versa the username field.

Seems odd to say but if you wanted to inject something maybe this would work in the username field injection' OR 1 LIMII 1# Which would make something like this

SELECT * FROM users WHERE username = 'injection' OR 1 LIMIT 1#' AND password = 'pass'

Essentially you are already injecting SQL, you are just not doing it in such a way that is yielding the results you want. Try echoing the query and running it directly in the mySQL CLI to see what the result set is and if it is a valid query. Maybe play around with the query there to try and obtain your intended injection.

Also for a live site I would hope that all user passwords would be hashed — SpacePhoenix, May 19 '18 at 05:39

SQL Injection parameters aren't working on my page

1 Answers1