0

I am trying out the SQL injection before I will add a prepared statement to it(which I am currently studying), I just want to test it out.

Login From

<form action="login_auth.php" method="post">
                <div class="form-group first">
                  <label for="username">Username</label>
                  <input type="text" class="form-control" placeholder="Username" id="username" name="username">
                </div>

                <div class="form-group last mb-3">
                  <label for="password">Password</label>
                  <input type="password" class="form-control" placeholder="Your Password" id="password" name="password">
                </div>
                

                <input type="submit" value="Log In" class="btn btn-block btn-primary" name="login">

              </form>

login_auth.php

<?php
session_start();
$connection=mysqli_connect("localhost","root","","upang_hub");
if (isset($_POST['login'])) {
    $username=$_POST['username'];
    $password=$_POST['password'];

     $sql_query = "SELECT * FROM tbl_account WHERE username = '$username' AND password = '$password' ";
     $result = mysqli_query($connection,$sql_query);

    $row=mysqli_fetch_array($result);

    if ($row['username'] == $username && $row['password'] == $password) {
        $_SESSION['username'] = $username;
        echo "<script>alert('Login Success!');document.location='user.php'</script>";
        
    }
    else{
         print_r($sql_query);
    }
}

?>

I cannot bypass this one, I tried using 'OR'1' = '1 in the username and password input. But it throws me the $sql_query which is located at else statement in login_auth.php SELECT * FROM tbl_account WHERE username = ''OR'1'='1' AND password = ''OR'1'='1'

then it should be result to true right since it's 1=1

Europa
  • 1
  • **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Apr 21 '21 at 10:55

1 Answers1

1

The SQL injection is working, the query returns all rows in the table.

But then PHP checks the username and password against the first row that's fetched:

if ($row['username'] == $username && $row['password'] == $password)

Since the username and password won't match that, you don't get logged in.

SQL injection normally gets around username and password checking because the code assumes that if the query returns something, it must match what was entered in the form, so it doesn't do this extra check.

Barmar
  • 741,623
  • 53
  • 500
  • 612