I am trying to create an application in PHP using PDO that is deliberately vulnerable to SQL injection for educational purposes. The underlying database is Postgres.
With pdo->query
I can demonstrate ' OR 1=1; --
style injections easily enough with something like:
$stmt = $pdo->query("SELECT amount FROM client.transactions WHERE clientid='". $id ."' ORDER BY amount DESC");
But if I try to piggyback a second statement with something like '; UPDATE client.transactions SET amount=50000000 WHERE id=1; --
it does not work as the statement is sent as a prepared statement after $id
is appended, and Postgres gives:
SQLSTATE[42601]: Syntax error: 7 ERROR: cannot insert multiple commands into a prepared statement
Ideally the code would be fairly natural as I would like to share and compare with a version using pdo->prepare
. What I guess I would need is something like mysqli::multi_query
but that I could run on Postgres, or any way to execute an SQL query/statement that is not prepared.
Advertisement
Answer
I found a solution using pg_query
rather than PDOs.
$conn = pg_connect("host = ... port = ... dbname = ... user = ... password = ..."); $stmt = pg_query($conn, "SELECT amount FROM client.transactions WHERE clientid='". $id ."' ORDER BY amount DESC"); while ($row = pg_fetch_assoc($result)) { // ... }
This is vulnerable to '; UPDATE client.transactions SET amount=50000000 WHERE id=1; --
style attacks.