This page describes my experiments with SQL injection:
The database setup, the serverside code (I used PHP) and the SQL injection itself
The code used for the demonstration will take an e-mail as input, look for that e-mail adress in a database and the output the corresponding password.
Of course passwords should not be stored or sent as clear text in any for-real-use application.


The database is pretty simple as this is mostly to try out SQL injection.
There is only one table:

Kunne ikke vise billedet.

PHP code

In PHP an e-mail address is the input and SQL query is done - something like:
$sql = "SELECT Password FROM databaseName.Users WHERE Email=\"$email\"";
$result = $conn->query($sql);

SQL injection

As long as $email=”” everything is fine.
The email is found in the database and password is returned.

If the email address is something else like it also works as expected.
The e-mail is not found in the database.

But... if e-mail is set to something" OR "1=1
then the SQL looks like this:
SELECT Password FROM h_christensen_dk_db_webstore.Users WHERE Email=something" OR "1=1"
and since 1=1 is always true all passwords in the database will be returned.

Code and Excution