Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- error_reporting = E_ALL ^ E_DEPRECATED
- $link = mysql_connect('localhost', 'user', 'pass');
- mysql_select_db('testdb', $link);
- mysql_set_charset('UTF-8', $link);
- $db = new PDO('mysql:host=localhost;dbname=testdb;charset=utf8', 'username', 'password');
- $db = new PDO('mysql:host=localhost;dbname=testdb;charset=UTF-8',
- 'username',
- 'password',
- array(PDO::ATTR_EMULATE_PREPARES => false,
- PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
- $db = new PDO('mysql:host=localhost;dbname=testdb;charset=UTF-8',
- 'username',
- 'password');
- $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
- $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
- //Connected to MySQL
- $result = mysql_query("SELECT * FROM table", $link) or die(mysql_error($link));
- $stmt->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_SILENT );
- $stmt->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING );
- $stmt->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
- try {
- //Connect as appropriate as above
- $db->query('hi'); //Invalid query!
- }
- catch (PDOException $ex) {
- echo "An Error occured!"; //User friendly message/message you want to show to user
- some_logging_function($ex->getMessage());
- }
- function data_fun($db) {
- $stmt = $db->query("SELECT * FROM table");
- return $stmt->fetchAll(PDO::FETCH_ASSOC);
- }
- //Then later
- try {
- data_fun($db);
- }
- catch(PDOException $ex) {
- //Here you can handle error and show message/perform action you want.
- }
- <?php
- $result = mysql_query('SELECT * from table') or die(mysql_error());
- $num_rows = mysql_num_rows($result);
- while($row = mysql_fetch_assoc($result)) {
- echo $row['field1'];
- }
- <?php
- $stmt = $db->query('SELECT * FROM table');
- while($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
- echo $row['field1'];
- }
- <?php
- $stmt = $db->query('SELECT * FROM table');
- $results = $stmt->fetchAll(PDO::FETCH_ASSOC);
- //Use $results
- <?php
- foreach($db->query('SELECT * FROM table') as $row) {
- echo $row['field1'];
- }
- $stmt->fetch(PDO::FETCH_ASSOC)
- <?php
- $stmt = $db->query('SELECT * FROM table');
- $row_count = $stmt->rowCount();
- echo $row_count.' rows selected';
- <?php
- $result = $db->exec("INSERT INTO table(firstname, lastname) VAULES('John', 'Doe')");
- $insertId = $db->lastInsertId();
- <?php
- $results = mysql_query("UPDATE table SET field='value'") or die(mysql_error());
- echo mysql_affected_rows($result);
- <?php
- $affected_rows = $db->exec("UPDATE table SET field='value'");
- echo $affected_rows;
- $stmt->bindParam(':bla', $bla);
- <?php
- $stmt = $db->prepare("SELECT * FROM table WHERE id=:id AND name=:name");
- $stmt->execute(array(':name' => $name, ':id' => $id));
- $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
- class person {
- public $name;
- public $add;
- function __construct($a,$b) {
- $this->name = $a;
- $this->add = $b;
- }
- }
- $demo = new person('john','29 bla district');
- $stmt = $db->prepare("INSERT INTO table (name, add) value (:name, :add)");
- $stmt->execute((array)$demo);
- <?php
- $stmt = $db->prepare("INSERT INTO folks (name, add) values (?, ?)");
- $stmt->bindValue(1, $name, PDO::PARAM_STR);
- $stmt->bindValue(2, $add, PDO::PARAM_STR);
- $stmt->execute();
- $stmt = $db->prepare("INSERT INTO folks (name, add) values (?, ?)");
- $stmt->execute(array('john', '29 bla district'));
- $stmt = $db->prepare("SELECT * FROM table WHERE id=:id AND name=:name");
- $stmt->execute(array(':name' => $name, ':id' => $id));
- $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
- $stmt = $db->prepare("DELETE FROM table WHERE id=:id");
- $stmt->bindValue(':id', $id, PDO::PARAM_STR);
- $stmt->execute();
- $affected_rows = $stmt->rowCount();
- $stmt = $db->prepare("UPDATE table SET name=? WHERE id=?");
- $stmt->execute(array($name, $id));
- $affected_rows = $stmt->rowCount();
- $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
- $pdo->query('SET NAMES GBK');
- $stmt = $pdo->prepare("SELECT * FROM test WHERE name = ? LIMIT 1");
- $stmt->execute(array(chr(0xbf) . chr(0x27) . " OR 1=1 /*"));
- include_once("pdo_mysql.php");
- pdo_connect("localhost", "usrABC", "pw1234567");
- pdo_select_db("test");
- $result = pdo_query("SELECT title, html FROM pages");
- while ($row = pdo_fetch_assoc($result)) {
- print "$row[title] - $row[html]";
- }
- pdo_query("SELECT id, links, html, title, user, date FROM articles
- WHERE title='" . pdo_real_escape_string($title) . "' OR id='".
- pdo_real_escape_string($title) . "' AND user <> '" .
- pdo_real_escape_string($root) . "' ORDER BY date")
- pdo_query("SELECT id, links, html, title, user, date FROM articles
- WHERE title=? OR id=? AND user<>? ORDER BY date", $title, $id, $root)
- pdo_query("INSERT INTO pages VALUES (?,?,?,?,?)", $_POST);
- function sanitize($str) {
- return trim(strip_tags(htmlentities(pdo_real_escape_string($str))));
- }
- $result = pdo_query("SELECT * FROM tbl");
- while ($row = pdo_fetch_assoc($result)) {
- foreach ($result as $row) {
- $result->fetchAll();
- function paraQuery()
- {
- $args = func_get_args();
- $query = array_shift($args);
- $query = str_replace("%s","'%s'",$query);
- foreach ($args as $key => $val)
- {
- $args[$key] = mysql_real_escape_string($val);
- }
- $query = vsprintf($query, $args);
- $result = mysql_query($query);
- if (!$result)
- {
- throw new Exception(mysql_error()." [$query]");
- }
- return $result;
- }
- $query = "SELECT * FROM table where a=%s AND b LIKE %s LIMIT %d";
- $result = paraQuery($query, $a, "%$b%", $limit);
- $city_ids = array(1,2,3);
- $cities = $db->getCol("SELECT name FROM cities WHERE is IN(?a)", $city_ids);
- $insert = array('name' => 'John', 'surname' => "O'Hara");
- $db->query("INSERT INTO users SET ?u", $insert);
- $data = $db->getAll("SELECT * FROM goods ORDER BY ?n", $_GET['order']);
- mysql> create table users(
- -> id int(2) primary key auto_increment,
- -> userid tinytext,
- -> pass tinytext);
- Query OK, 0 rows affected (0.05 sec)
- mysql> insert into users values(null, 'Fluffeh', 'mypass');
- Query OK, 1 row affected (0.04 sec)
- mysql> create user 'prepared'@'localhost' identified by 'example';
- Query OK, 0 rows affected (0.01 sec)
- mysql> grant all privileges on prep.* to 'prepared'@'localhost' with grant option;
- Query OK, 0 rows affected (0.00 sec)
- <?php
- if(!empty($_POST['user']))
- {
- $user=$_POST['user'];
- }
- else
- {
- $user='bob';
- }
- if(!empty($_POST['pass']))
- {
- $pass=$_POST['pass'];
- }
- else
- {
- $pass='bob';
- }
- $database='prep';
- $link=mysql_connect('localhost', 'prepared', 'example');
- mysql_select_db($database) or die( "Unable to select database");
- $sql="select id, userid, pass from users where userid='$user' and pass='$pass'";
- //echo $sql."<br><br>";
- $result=mysql_query($sql);
- $isAdmin=false;
- while ($row = mysql_fetch_assoc($result)) {
- echo "My id is ".$row['id']." and my username is ".$row['userid']." and lastly, my password is ".$row['pass']."<br>";
- $isAdmin=true;
- // We have correctly matched the Username and Password
- // Lets give this person full access
- }
- if($isAdmin)
- {
- echo "The check passed. We have a verified admin!<br>";
- }
- else
- {
- echo "You could not be verified. Please try again...<br>";
- }
- mysql_close($link);
- ?>
- <form name="exploited" method='post'>
- User: <input type='text' name='user'><br>
- Pass: <input type='text' name='pass'><br>
- <input type='submit'>
- </form>
- user: bob
- pass: somePass
- You could not be verified. Please try again...
- user: Fluffeh
- pass: mypass
- user: bob
- pass: n' or 1=1 or 'm=m
- The check passed. We have a verified admin!
- select id, userid, pass from users where userid='$user' and pass='$pass'
- select id, userid, pass from users where userid='bob' and pass='n' or 1=1 or 'm=m'
- <?php
- if(!empty($_POST['user']))
- {
- $user=$_POST['user'];
- }
- else
- {
- $user='bob';
- }
- if(!empty($_POST['pass']))
- {
- $pass=$_POST['pass'];
- }
- else
- {
- $pass='bob';
- }
- $isAdmin=false;
- $database='prep';
- $pdo=new PDO ('mysql:host=localhost;dbname=prep', 'prepared', 'example');
- $sql="select id, userid, pass from users where userid=:user and pass=:password";
- $myPDO = $pdo->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
- if($myPDO->execute(array(':user' => $user, ':password' => $pass)))
- {
- while($row=$myPDO->fetch(PDO::FETCH_ASSOC))
- {
- echo "My id is ".$row['id']." and my username is ".$row['userid']." and lastly, my password is ".$row['pass']."<br>";
- $isAdmin=true;
- // We have correctly matched the Username and Password
- // Lets give this person full access
- }
- }
- if($isAdmin)
- {
- echo "The check passed. We have a verified admin!<br>";
- }
- else
- {
- echo "You could not be verified. Please try again...<br>";
- }
- ?>
- <form name="exploited" method='post'>
- User: <input type='text' name='user'><br>
- Pass: <input type='text' name='pass'><br>
- <input type='submit'>
- </form>
- user: bob
- pass: somePass
- user: Fluffeh
- pass: mypass
- user: bob
- pass: n' or 1=1 or 'm=m
- You could not be verified. Please try again...
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement