API tools faq
paste
Guest User

Untitled

a guest
Aug 5th, 2016
71
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.09 KB | None | 0 0
raw download clone embed print report
  1. INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')
  2.  
  3. // Value whitelist
  4. // $dir can only be 'DESC' or 'ASC'
  5. $dir = !empty($direction) ? 'DESC' : 'ASC';
  6.  
  7. //Connect
  8.  
  9. $unsafe_variable = $_POST["user-input"];
  10. $safe_variable = mysql_real_escape_string($unsafe_variable);
  11.  
  12. mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");
  13.  
  14. //Disconnect
  15.  
  16. <?php
  17. $mysqli = new mysqli("server", "username", "password", "database_name");
  18.  
  19. // TODO - Check that connection was successful.
  20.  
  21. $unsafe_variable = $_POST["user-input"];
  22.  
  23. $stmt = $mysqli->prepare("INSERT INTO table (column) VALUES (?)");
  24.  
  25. // TODO check that $stmt creation succeeded
  26.  
  27. // "s" means the database expects a string
  28. $stmt->bind_param("s", $unsafe_variable);
  29.  
  30. $stmt->execute();
  31.  
  32. $stmt->close();
  33.  
  34. $mysqli->close();
  35. ?>
  36.  
  37. $orders = array("name","price","qty"); //field names
  38. $key = array_search($_GET['sort'],$orders)); // see if we have such a name
  39. $orderby = $orders[$key]; //if not, first one will be set automatically. smart enuf :)
  40. $query = "SELECT * FROM `table` ORDER BY $orderby"; //value is safe
  41.  
  42. $stmt = $conn->prepare("INSERT INTO tbl VALUES(:id, :name)");
  43. $stmt->bindValue(':id', $id);
  44. $stmt->bindValue(':name', $name);
  45. $stmt->execute();
  46.  
  47. SELECT password FROM users WHERE name = 'root'
  48.  
  49. SELECT password FROM users WHERE name = 0x726f6f74
  50.  
  51. SELECT password FROM users WHERE name = UNHEX('726f6f74')
  52.  
  53. "SELECT title FROM article WHERE id = " . mysql_real_escape_string($_GET["id"])
  54.  
  55. $name_bad = "' OR 1'";
  56.  
  57. $name_bad = mysql_real_escape_string($name_bad);
  58.  
  59. $query_bad = "SELECT * FROM customers WHERE username = '$name_bad'";
  60. echo "Escaped Bad Injection: <br />" . $query_bad . "<br />";
  61.  
  62.  
  63. $name_evil = "'; DELETE FROM customers WHERE 1 or username = '";
  64.  
  65. $name_evil = mysql_real_escape_string($name_evil);
  66.  
  67. $query_evil = "SELECT * FROM customers WHERE username = '$name_evil'";
  68. echo "Escaped Evil Injection: <br />" . $query_evil;
  69.  
  70. $safe_variable = mysql_real_escape_string($_POST["user-input"]);
  71. mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");
  72.  
  73. $offset = isset($_GET['o']) ? $_GET['o'] : 0;
  74. $offset = mysql_real_escape_string($offset);
  75. RunQuery("SELECT userid, username FROM sql_injection_test LIMIT $offset, 10");
  76.  
  77. $order = isset($_GET['o']) ? $_GET['o'] : 'userid';
  78. $order = mysql_real_escape_string($order);
  79. RunQuery("SELECT userid, username FROM sql_injection_test ORDER BY `$order`");
  80.  
  81. $query="select * from users where email='".$_POST['email']."' and password='".$_POST['password']."' ";
  82.  
  83. $_POST['email']= admin@emali.com' OR '1=1
  84.  
  85. $query="select * from users where email='admin@emali.com' OR '1=1';
  86.  
  87. $request = $pdoConnection->("INSERT INTO parents (name, addr, city) values ($name, $addr, $city)");
  88.  
  89. $request = $pdoConnection->("INSERT INTO parents (name, addr, city) values (?, ?, ?);
  90.  
  91. $request = $pdoConnection->("INSERT INTO parents (name, addr, city) value (:name, :addr, :city)");
  92.  
  93. $request = $mysqliConnection->prepare('
  94. SELECT * FROM trainers
  95. WHERE name = ?
  96. AND email = ?
  97. AND last_login > ?');
  98.  
  99. $query->bind_param('first_param', 'second_param', $mail, time() - 3600);
  100. $query->execute();
  101.  
  102. $unsafe_variable = $_POST['user_id'];
  103.  
  104. $safe_variable = (int)$unsafe_variable ;
  105.  
  106. mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");
  107.  
  108. $count = DB::column('SELECT COUNT(*) FROM `user`);
  109.  
  110. $pairs = DB::pairs('SELECT `id`, `username` FROM `user`);
  111.  
  112. $user = DB::row('SELECT * FROM `user` WHERE `id` = ?', array($user_id));
  113.  
  114. $banned_users = DB::fetch('SELECT * FROM `user` WHERE `banned` = ?', array(TRUE));
  115.  
  116. SELECT * FROM users WHERE name = '".mysql_escape_string($name_from_html_form)."'
  117.  
  118. wHERE 1=1 or LIMIT 1
  119.  
  120. SELECT * FROM users WHERE name = '".mysql_escape_string($name_from_html_form)."' LIMIT 1
  121.  
  122. $mysqli = new mysqli( 'host', 'user', 'password', 'database' );
  123. $mysqli->set_charset( 'charset');
  124.  
  125. $string = $mysqli->real_escape_string( $string );
  126. $mysqli->query( "INSERT INTO table (column) VALUES ('$string')" );
  127.  
  128. $stmt = $mysqli->prepare( "INSERT INTO table ( column1, column2 ) VALUES (?,?)" );
  129.  
  130. $stmt->bind_param( "is", $integer, $string );
  131.  
  132. $stmt->execute();
  133.  
  134. $string = "x' OR name LIKE '%John%";
  135. $integer = '5 OR id != 0';
  136.  
  137. $query = sprintf( "SELECT id, email, pass, name FROM members WHERE email ='%s' AND id = %d", $mysqli->real_escape_string( $string ), $integer );
  138.  
  139. echo $query;
  140. // SELECT id, email, pass, name FROM members WHERE email ='x' OR name LIKE '%John%' AND id = 5
  141.  
  142. $integer = '99999999999999999999';
  143. $query = sprintf( "SELECT id, email, pass, name FROM members WHERE email ='%s' AND id = %d", $mysqli->real_escape_string( $string ), $integer );
  144.  
  145. echo $query;
  146. // SELECT id, email, pass, name FROM members WHERE email ='x' OR name LIKE '%John%' AND id = 2147483647
  147.  
  148. string mysqli_real_escape_string ( mysqli $link , string $escapestr )
  149.  
  150. $iId = $mysqli->real_escape_string("1 OR 1=1");
  151. $mysqli->query("SELECT * FROM table WHERE id = $iId");
  152.  
  153. GRANT SELECT, INSERT, DELETE ON database TO username@'localhost' IDENTIFIED BY 'password';
  154.  
  155. FLUSH PRIVILEGES;
  156.  
  157. select * from mysql.user where User='username';
  158.  
  159. [1] UNION SELECT IF(SUBSTRING(Password,1,1)='2',BENCHMARK(100000,SHA1(1)),0) User,Password FROM mysql.user WHERE User = 'root'
  160.  
  161. $user = "''1''"; //Malicious keyword
  162. $sql = 'SELECT * FROM awa_user WHERE userame =:username';
  163. $sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
  164. $sth->execute(array(':username' => $user));
  165.  
  166. 189 Query SELECT * FROM awa_user WHERE userame ='''1'''
  167. 189 Quit
  168.  
  169. $stmt = $mysqli->prepare("SELECT * FROM awa_user WHERE username =?")) {
  170. $stmt->bind_param("s", $user);
  171. $user = "''1''";
  172. $stmt->execute();
  173.  
  174. 188 Prepare SELECT * FROM awa_user WHERE username =?
  175. 188 Execute SELECT * FROM awa_user WHERE username ='''1'''
  176. 188 Quit
  177.  
  178. RewriteCond %{QUERY_STRING} ([0-9]+)=([0-9]+)
  179. RewriteRule ^(.*) ^/track.php
  180.  
  181. $conn = oci_connect($username, $password, $connection_string);
  182. $stmt = oci_parse($conn, 'UPDATE table SET field = :xx WHERE ID = 123');
  183. oci_bind_by_name($stmt, ':xx', $fieldval);
  184. oci_execute($stmt);
  185.  
  186. $unsafe_variable = mysql_real_escape_string($_POST['user_input']);
  187.  
  188. $unsafe_variable = (is_string($_POST['user_input']) ? $_POST['user_input'] : '');
  189.  
  190. $unsafe_variable = (is_numeric($_POST['user_input']) ? $_POST['user_input'] : '');
  191.  
  192. $user = ORM::for_table('user')
  193. ->where_equal('username', 'j4mie')
  194. ->find_one();
  195.  
  196. $user->first_name = 'Jamie';
  197. $user->save();
  198.  
  199. $tweets = ORM::for_table('tweet')
  200. ->select('tweet.*')
  201. ->join('user', array(
  202. 'user.id', '=', 'tweet.user_id'
  203. ))
  204. ->where_equal('user.username', 'j4mie')
  205. ->find_many();
  206.  
  207. foreach ($tweets as $tweet) {
  208. echo $tweet->text;
  209. }
  210.  
  211. function sqlvprintf($query, $args)
  212. {
  213. global $DB_LINK;
  214. $ctr = 0;
  215. ensureConnection(); // Connect to database if not connected already.
  216. $values = array();
  217. foreach ($args as $value)
  218. {
  219. if (is_string($value))
  220. {
  221. $value = "'" . mysqli_real_escape_string($DB_LINK, $value) . "'";
  222. }
  223. else if (is_null($value))
  224. {
  225. $value = 'NULL';
  226. }
  227. else if (!is_int($value) && !is_float($value))
  228. {
  229. die('Only numeric, string, array and NULL arguments allowed in a query. Argument '.($ctr+1).' is not a basic type, it's type is '. gettype($value). '.');
  230. }
  231. $values[] = $value;
  232. $ctr++;
  233. }
  234. $query = preg_replace_callback(
  235. '/{(\d+)}/',
  236. function($match) use ($values)
  237. {
  238. if (isset($values[$match[1]]))
  239. {
  240. return $values[$match[1]];
  241. }
  242. else
  243. {
  244. return $match[0];
  245. }
  246. },
  247. $query
  248. );
  249. return $query;
  250. }
  251.  
  252. function runEscapedQuery($preparedQuery /*, ...*/)
  253. {
  254. $params = array_slice(func_get_args(), 1);
  255. $results = runQuery(sqlvprintf($preparedQuery, $params)); // Run query and fetch results.
  256. return $results;
  257. }
  258.  
  259. runEscapedQuery("INSERT INTO Whatever (id, foo, bar) VALUES ({0}, {1}, {2})", $numericVar, $stringVar1, $stringVar2);
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!