youys
/
cwe-top25
Not watched
1
0
Fork 0
Code
Releases 0 Wiki Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
1 Commit
1 Branch
700 kB
16 Download
Tree: 83c6e7627d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '83c6e7627d'
${ noResults }
cwe-top25/SQL Injection/code files/Vulnerable/SQL_Injection.php

SQL_Injection.php 2.0 kB
Raw Normal View History

init
2 years ago
 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677 
  1. <?php

  2. 	// 1. Create a database connection

  3. 	$dbhost = "localhost";

  4. 	$dbuser = "root";

  5. 	$dbpass = "dakota02";

  6. 	$dbname = "UMUC";

  7. 	$connection = mysqli_connect($dbhost, $dbuser, $dbpass,

  8. 			$dbname);

  9. //you could just place the variables directly into the arugments also, but

  10. //it's easier to understand this way.

  11. 

  12. //Once we call the mysqli_connect function, the value that it returns is what we

  13. //have assigned to the variable $connection. It is what is referred to as a handle for the connection.

  14. 

  15. //will see if connected, if not will quit and display error messages with error.

  16. 	//test if connection occured.

  17. 	if(mysqli_connect_errno()){

  18. 	die("Database connection failed: " .

  19. 		mysqli_connect_error() .

  20. 		"(" . mysqli_connect_errno() . ")"

  21. 	);

  22. 	}

  23. 

  24. ?>

  25. <?php

  26. 

  27. if (isset($_POST['submit'])){

  28. //assign post data to variables

  29. $first_name = $_POST["first_name"];

  30. $last_name = $_POST["last_name"];

  31. $student_id = $_POST["student_id"];

  32. }

  33. 

  34. 	//2. perform database query

  35. 	//This way is called assembling a query. Easier to read and work with.

  36. 	//could also wrap parts in if statements. ex. if something is true,

  37. 	//append the WHERE clause.

  38. 	$query = "INSERT INTO students (";

  39. 	$query .= " first_name, last_name, student_id"; 

  40. 	$query .= ") VALUES (";

  41. 	$query .= " '{$first_name}', '{$last_name}', '{$student_id}' ";

  42. 	$query .= ")";

  43. 

  44. 	$result = mysqli_query($connection, $query);

  45. 	//test if there was a query error

  46. 	if($result){

  47. 			//success

  48. 			//could do a redirect. ex redirect to("somepage.php");

  49. 			echo "Success! Student added to database!";

  50. 			}else{		

  51. 			//failure	

  52. 			//$message = "Student creation failed";

  53. 			die("Database query failed. " . mysqli_error($connection));

  54. 			}

  55. ?>

  56. 

  57. 

  58. <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"

  59. 	"http://www.w3.org/TR/html4/loose.dtd">

  60. <html lang="en">

  61. 

  62. <head>

  63. <title>SQL Injection</title>

  64. </head>

  65. 

  66. <body>

  67. 

  68. 

  69. 

  70. 

  71. </body>

  72. </html>

  73. 

  74. <?php

  75. 	//5.close database connection

  76. mysqli_close($connection);

  77. ?>

No Description

Contributors (1)
All