Learning sql inject

Question

Currently I a learning about SQL injection, I attempted

test ="'); DROP TABLE users; '";

It drings up the error message

mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\Program Files (x86)\EasyPHP-DevServer-14.1VC9\data\localweb\my portable files\sqlinjection\login.php on line 18

Login code

session_start();

$username = $_POST['username'];
$password = $_POST['password'];
$errors = array();


if ($username&&$password)
{

$connect = mysql_connect("localhost","root","") or die ("Could not connect");
mysql_select_db ("login") or die ("Could not find database");

$query = mysql_query("SELECT * FROM users WHERE username ='$username'");

$numrows = mysql_num_rows($query);
if ($numrows !=0)
{
    while ($row =mysql_fetch_assoc($query))
    {
        $dbusername = $row['username'];
        $dbpassword = $row['password'];
    }

    if ($username==$dbusername&&$password==$dbpassword)
    {
        echo header( 'Location: member.php' ) ;
        $_SESSION['username']=$dbusername;
    }
    else 
        echo "Incorrect password";

}
else
    die("That user dosen't exist");






}

else
    die("Please enter a username and a password");





?>

Where am I going wrong or is this the expect result? I looked on my database and the table is there so I had guessed it was wrong. UPDATED to show login code.

I'm using a login code, you mean the query within that page? — Jon Snow, Dec 18 '14 at 21:23
Questions asking how to do SQL injection are dangerous questions. — Gordon Linoff, Dec 18 '14 at 21:24
@Gordon Linoff I felt it more dangerous not knowing about them, my next step after learning this, is to learn how to prevent. — Jon Snow, Dec 18 '14 at 21:28
possible duplicate of [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — dotjoe, Dec 18 '14 at 21:33
The specific error message is because you[don't check the result of running the query](http://stackoverflow.com/questions/2973202/mysql-fetch-array-expects-parameter-1-to-be-resource-or-mysqli-result-boole). — Clockwork-Muse, Dec 19 '14 at 06:47
@JonSnow You don’t need to be able to exploit them to prevent them. — Gumbo, Dec 19 '14 at 07:01

score 2 · Accepted Answer · edited May 23 '17 at 12:30

if you query is:

"SELECT * FROM users WHERE username ='$username'"

then your username variable should be:

$username = "foo'; DROP TABLE users;";

In this case your final query become:

"SELECT * FROM users WHERE username ='foo'; DROP TABLE users;"

To prevent this injection you should use parameters or at least use a server function that remove all special chars from your variable before including it to your query (see: How can I prevent SQL-injection in PHP?)

Learning sql inject

1 Answers1