Hello. I'm trying to understand and learn sql injection so i made my own website with login page and tried simple sql injection (' OR 'x'='x in password box). But it didn't worked. I did some digging and found out that password value wich script recieved from $_POST was with \ (\' OR \'x\'=\'x)
if($_SERVER["REQUEST_METHOD"] == "POST")
// username and password sent from Form
$sql="SELECT id FROM Users WHERE user='$myusername' and pass='$mypassword'";
// If result matched $myusername and $mypassword, table row must be 1 row
$error="Your Login Name or Password is invalid";
I cannot understand from where does '\' come??? :angry:
Posts: 218 Location: England Joined: 05.12.07 Rank: Moderate
Posted on 18-08-11 19:34
Well, magic quotes has been deprecated since 5.3.0, so I would hope that means it's disabled by default. I'm guessing you're not running this on your own machine, so you could check phpinfo() for the setting "magic_quotes_gpc" to confirm whether this is the problem.
As for a solution, you could simply run stripslashes() on your input. Or you could change the value of magic_quotes_gpc with ini_set().