Sql-Injection-Proof-of-Concept

Aus xinux.net
Version vom 7. Oktober 2020, 16:43 Uhr von Thomas.will (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „=Unsichere Methode= <pre> <?php if(isset($_POST['submit'])){ //connect db include "inc/connect.php"; //unsafe query $search = $_POST['search'…“)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Zur Navigation springen Zur Suche springen

Unsichere Methode

<?php
  if(isset($_POST['submit'])){
    //connect db
    include "inc/connect.php";
    //unsafe query
    $search = $_POST['search'];
    //safe query
    #$search = mysqli_real_escape_string($link, $_POST['search']);
    //Database search
    $sql = "SELECT * FROM users WHERE username='$search'";
    $result = mysqli_query($link, $sql);
  }
?>

<!DOCTYPE html>
<html>
        <body>
                <h2>SQL Injection</h2>
                <form method="post">
                  <label for="fname">Suche</label><br>
                  <input type="text" name="search"><br>
                  <input type="submit" name="submit" value="Suche">
                </form> 
                <br>
                <table border = "1">
                        <tr>
                                <td>ID</td>
                                <td>Name</td>
                                <td>Passwort</td>
                        </tr>
<?php
  while ($row = mysqli_fetch_row($result)) {
    echo "<tr>";
    echo "<td>".$row[0]." </td>";
    echo "<td>".$row[1]." </td>";
    echo "<td>".$row[2]." </td><br>";
    echo "</tr>";
  }
?>
                </table>
        </body>
</html>
Abgerufen von „https://xinux.net/index.php?title=Sql-Injection-Proof-of-Concept&oldid=21500