PHP SQL Injection Example

Database is the main part of any application used to store the sensitive information like user credentials, financial information etc.

PHP SQL Injection Example

PHP SQL Injection Example

     

This Example illustrates how injection is used in the sql query.

Database is the main part of any application used to store the sensitive information like user credentials, financial information etc. SQL Injection is a technique to break the security of the database of the application. This is one of the most common technique used by hackers to steal the data from the database from the application layer. The name "SQL injection" itself indicates that it injects or manipulates SQL code by adding unexpected Sql string to a query. This can result into database manipulation in an unexpected way i.e. the application will run the Sql query that was not intended.

In the below source code, the first query is the normal query which has no problem in execution, as our MySQL statement will just select everything from "emp" table where name equal to "sandeep". In the next query, the ' ' OR 1 makes the sql not the same that we intended because it will always be true and each entry in the table would be selected by this statement.

 

 

Source Code of phpSqlInjection.php

<?php
  $name = "sandeep"
  $query = "SELECT * FROM emp WHERE name = '$name'";
  echo "Normal: " . $query . "<br>";

  $wrongName = "'OR 1'";
  $query1 = "SELECT * FROM emp WHERE name = '$wrongName'";
  echo "Injection: " . $query1 . "<br>";

  $name1 = "'; DELETE FROM emp WHERE 1 or name = '"
  $query2 = "SELECT * FROM emp WHERE name = '$name1'";
  echo "Injection: " . $query2;
?>

 

Output:

Download Source Code