Why isn't this test SQL injection returning all rows in the table?
I was trying to follow this example on a local webpage I run using WAMP.
Here is the code
<!DOCTYPE html>
<head>
<title>Testing SQL injection</title>
</head>
<body>
<?php
$link = mysql_connect('localhost:3306', 'root', 'St@ck0verflow');
if(!$link)
die('Could not connect: ' . mysql_error());
if(!mysql_select_db('opentarget', $link))//arguments are in revere order
compared to mysqli
die('Could not select database');
// a good user's name
$name = "Onetwo";
$query = "SELECT * FROM customers WHERE username = '$name'";
echo "Normal: " . $query . "<br />";
$result = mysql_query($query);
echo "Result: <pre>";
print_r(mysql_fetch_row($result));
echo "</pre><br /><br />";
// user input that uses SQL Injection
$name_bad = "' OR 1'";
// our MySQL query builder, however, not a very safe one
$query_bad = "SELECT * FROM customers WHERE username = '$name_bad'";
$result = mysql_query($query);
// display what the new query will look like, with injection
echo "Injection: " . $query_bad.'<br />Result: <pre>';
print_r(mysql_fetch_row($result));
echo '</pre>';
echo '<br />Any errors? '.mysql_errno($link) . ": " . mysql_error($link);
?>
</body>
</html>
The first query runs as expected but when I print the result of the second
one it is the same as the first. I thought it would print out all the
contents of the table? What exactly does OR 1 do?
No comments:
Post a Comment