How can I make my login page susceptible to SQL injections?

Question

I'm trying to understand how SQL injections fully work in order to feed this information back to some of my students. I have created a simple webpage with a small SQL database attached and would like my students to attempt to "break into" the site and get the token on the welcome page.

However, the resource I used (w3schools) to create the login page only showed me a secure webpage, and I'm not sure how to unravel it to make the login page susceptible to an SQL injection.

So far, the code I have for the webpage is below (stripped to only the essential part of the HTML!)

<?php
   include("conf.php");
   session_start();
   
   if($_SERVER["REQUEST_METHOD"] == "POST") {
     
      $myusername = mysqli_real_escape_string($db,$_POST['username']);  //get username and password from form
      $mypassword = mysqli_real_escape_string($db,$_POST['password']); 
      
      $sql = "SELECT * FROM admin WHERE username = '$myusername' and password = '$mypassword'";  //sql query - IF username AND password match what is in the database 
      $result = mysqli_query($db,$sql);
      $row = mysqli_fetch_array($result,MYSQLI_ASSOC);
      $active = $row['active']; 
     
      $count = mysqli_num_rows($result); //return the number of results - there should only be one!
       
      if($count == 1) {  //if there was 1 result, load the welcome page
         $_SESSION['username'] = $myusername;
         
         header("location: welcome.php");
      }else {  //otherwise show an error
         $error = "Your Login Name or Password is invalid";
      }
   }
?>

<html>

<center>               
               <form action = "" method = "post">
                  <label>UserName  :</label><input type = "text" name = "username" class = "box"/><br /><br />
                  <label>Password  :</label><input type = "password" name = "password" class = "box" /><br/><br />
                  <input type = "submit" value = " Submit "/><br />
               </form> 
               </center>  

   </body>
</html>

I've attempted to change the line:

$myusername = mysqli_real_escape_string($db,$_POST['username']);

to

$myusername = $_POST['username'];

as I assumed that it was being escaped (mysqli_real_escape_string) and preventing any extra characters from being entered into the text box - is that correct?

But that didn't do anything. Any help would be appreciated.

Are you're? `mysqli_real_escape_string` still isn't foolproof. Try some simple SQL injection hacks — aynber, May 31 '17 at 18:20
**Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, May 31 '17 at 18:21
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, May 31 '17 at 18:21
Your code, as it stands now, it already insecure. Read all of the associated links in the comments to find out more. — Jay Blanchard, May 31 '17 at 18:22
What do you mean by "that didn't do anything"? What kind of username and password inputs did you try? — Hans-Martin Mosner, May 31 '17 at 18:25
@JayBlanchard note that the question asks exactly the opposite - how a page can be made susceptible to SQL injections for educational purposes. This is something completely different than what the "duplicate" question asked. — Hans-Martin Mosner, May 31 '17 at 18:54
The duplicates point out the path to fixing problems where others have left their code susceptible @Hans-MartinMosner. All the OP needs to do is look at the examples people are correcting and read about how injection occurs in order to make his code *more* susceptible than it already is. — Jay Blanchard, May 31 '17 at 18:56

How can I make my login page susceptible to SQL injections?

0 Answers0