This page describes my experiments with SQL injection:
The database setup, the serverside code (I used PHP) and the SQL injection itself
The code used for the demonstration will take an e-mail as input, look for that e-mail adress in a database and the output the corresponding password.
Of course passwords should not be stored or sent as clear text in any for-real-use application.
The database is pretty simple as this is mostly to try out SQL injection.
There is only one table:
In PHP an e-mail address is the input and SQL query is done - something like:
$sql = "SELECT Password FROM databaseName.Users WHERE Email=\"$email\"";
$result = $conn->query($sql);
As long as $email=”TestBruger1@test.dk” everything is fine.
The email is found in the database and password is returned.
If the email address is something else like firstname.lastname@example.org it also works as expected.
The e-mail is not found in the database.
But... if e-mail is set to something" OR "1=1
then the SQL looks like this: SELECT Password FROM h_christensen_dk_db_webstore.Users WHERE Email=something" OR "1=1"
and since 1=1 is always true all passwords in the database will be returned.