If I take some input from a user in $_POST and json_encode it and put it in the query Is this prone to SQL injection? Does this input needs to be escaped? In my tests, I couldn’t run any queries with input like but I’m not even remotely good at this. PS – This is a test for learning. I’…
Tag: sql-injection
Prevent SQL injection attack in PHP
I would like to prevent SQL attacks on this piece of PHP code (this is just a practice exercise in class). This can easily be exploited by setting @mail equal to something like ‘); DROP TABLE PURCHASE;…
How To Extract Information On Login using SQL Injection?
This is the back-end PHP code which where I will test the vulnerability. This is the code I will inject the login field. It seems I am able to login but what should I do to have the passwords displayed in a error message or anything on the web page once the injection is made? Like what query you guys
what’s the meaning of ‘admin’ OR 1=1 — ‘
The following query return all the passwords in the table tbl_user but I can not understand why this is happening. Please help me to understand this part of the query: ‘admin’ OR 1=1 — ‘ Can you introduce other threats like this (website, book, etc)? Answer This is a classic SQL inject…
Sanitize $_SERVER[‘HTTP_USER_AGENT’] & $_SERVER[‘HTTP_REFERER’] before saving to DB?
I have a feedback form which will take a couple of user inputted fields along with a few fields generated by PHP functions like ‘user-agent’ and ‘referer.’ My question is should these strings be sanitized before being inputted? I realize one could easily alter the user-agent and the re…
Blind SQL Injection using acunetix
I’m using acunetix to test my website. The problem is with this script http://boedesign.com/blog/2007/02/18/ajax-star-rating/ acunetix doesn’t show any message, but when I test for blind SQL I can get values like in the rating_id mysql column, I want to only allow numbers in there, so I made a lit…