Introduction

This page describes my experiments with SQL injection:
The database setup, the serverside code (I used PHP) and the SQL injection itself
The code used for the demonstration will take an e-mail as input, look for that e-mail adress in a database and the output the corresponding password.
Of course passwords should not be stored or sent as clear text in any for-real-use application.

Database

The database is pretty simple as this is mostly to try out SQL injection.
There is only one table:

Kunne ikke vise billedet.

PHP code

In PHP an e-mail address is the input and SQL query is done - something like:
$email=”TestBruger1@test.dk”
$sql = "SELECT Password FROM databaseName.Users WHERE Email=\"$email\"";
$result = $conn->query($sql);

SQL injection

As long as $email=”TestBruger1@test.dk” everything is fine.
The email is found in the database and password is returned.

If the email address is something else like test@test.dk it also works as expected.
The e-mail is not found in the database.

But... if e-mail is set to something" OR "1=1
then the SQL looks like this:
SELECT Password FROM h_christensen_dk_db_webstore.Users WHERE Email=something" OR "1=1"
and since 1=1 is always true all passwords in the database will be returned.

Code and Excution

Links