Follow us on Twitter!
Society leans ever heavily on computers, if you have the power to take out computers you can take out society. - cubeman372
Thursday, April 24, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 27
Guests Online: 23
Members Online: 4

Registered Members: 82894
Newest Member: Ricardox
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

simple SQL injection not working...


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 18-08-11 12:19
Hello. I'm trying to understand and learn sql injection so i made my own website with login page and tried simple sql injection (' OR 'x'='x in password box). But it didn't worked. I did some digging and found out that password value wich script recieved from $_POST was with \ (\' OR \'x\'=\'x)
Code

if($_SERVER["REQUEST_METHOD"] == "POST")
{
// username and password sent from Form
$myusername=$_POST['username'];
$mypassword=$_POST['password'];
echo $mypassword;
$sql="SELECT id FROM Users WHERE user='$myusername' and pass='$mypassword'";
$result=mysql_query($sql);
$row=mysql_fetch_array($result);
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1)
{
session_register("myusername");
$_SESSION['login_user']=$myusername;
header("location: welcome.php");
}
else
{
$error="Your Login Name or Password is invalid";
echo $error;
}
}



I cannot understand from where does '\' come??? :angry:

Edited by on 18-08-11 12:20
Author

RE: simple SQL injection not working...

starofale
Member



Posts: 218
Location: England
Joined: 05.12.07
Rank:
Moderate
Posted on 18-08-11 18:28
Magic Quotes could be causing this.


Try a new search engine

Edited by starofale on 18-08-11 18:29
Author

RE: simple SQL injection not working...


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 18-08-11 19:20
Version of php is 5.3.5 so i guess it is magic quotes... Is there any way to bypass it?
Author

RE: simple SQL injection not working...

starofale
Member



Posts: 218
Location: England
Joined: 05.12.07
Rank:
Moderate
Posted on 18-08-11 19:34
Well, magic quotes has been deprecated since 5.3.0, so I would hope that means it's disabled by default. I'm guessing you're not running this on your own machine, so you could check phpinfo() for the setting "magic_quotes_gpc" to confirm whether this is the problem.

As for a solution, you could simply run stripslashes() on your input. Or you could change the value of magic_quotes_gpc with ini_set().


Try a new search engine

Edited by starofale on 18-08-11 19:41