Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- error_reporting = E_ALL ^ E_DEPRECATED
- $link = mysql_connect('localhost', 'user', 'pass');
- mysql_select_db('testdb', $link);
- mysql_set_charset('UTF-8', $link);
- $db = new PDO('mysql:host=localhost;dbname=testdb;charset=utf8', 'username', 'password');
- $db = new PDO('mysql:host=localhost;dbname=testdb;charset=UTF-8',
- 'username',
- 'password',
- array(PDO::ATTR_EMULATE_PREPARES => false,
- PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
- $db = new PDO('mysql:host=localhost;dbname=testdb;charset=UTF-8',
- 'username',
- 'password');
- $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
- $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
- //Connected to MySQL
- $result = mysql_query("SELECT * FROM table", $link) or die(mysql_error($link));
- $stmt->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_SILENT );
- $stmt->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING );
- $stmt->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
- try {
- //Connect as appropriate as above
- $db->query('hi'); //Invalid query!
- }
- catch (PDOException $ex) {
- echo "An Error occured!"; //User friendly message/message you want to show to user
- some_logging_function($ex->getMessage());
- }
- function data_fun($db) {
- $stmt = $db->query("SELECT * FROM table");
- return $stmt->fetchAll(PDO::FETCH_ASSOC);
- }
- //Then later
- try {
- data_fun($db);
- }
- catch(PDOException $ex) {
- //Here you can handle error and show message/perform action you want.
- }
- <?php
- $result = mysql_query('SELECT * from table') or die(mysql_error());
- $num_rows = mysql_num_rows($result);
- while($row = mysql_fetch_assoc($result)) {
- echo $row['field1'];
- }
- <?php
- $stmt = $db->query('SELECT * FROM table');
- while($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
- echo $row['field1'];
- }
- <?php
- $stmt = $db->query('SELECT * FROM table');
- $results = $stmt->fetchAll(PDO::FETCH_ASSOC);
- //Use $results
- <?php
- foreach($db->query('SELECT * FROM table') as $row) {
- echo $row['field1'];
- }
- $stmt->fetch(PDO::FETCH_ASSOC)
- <?php
- $stmt = $db->query('SELECT * FROM table');
- $row_count = $stmt->rowCount();
- echo $row_count.' rows selected';
- <?php
- $result = $db->exec("INSERT INTO table(firstname, lastname) VAULES('John', 'Doe')");
- $insertId = $db->lastInsertId();
- <?php
- $results = mysql_query("UPDATE table SET field='value'") or die(mysql_error());
- echo mysql_affected_rows($result);
- <?php
- $affected_rows = $db->exec("UPDATE table SET field='value'");
- echo $affected_rows;
- $stmt->bindParam(':bla', $bla);
- <?php
- $stmt = $db->prepare("SELECT * FROM table WHERE id=:id AND name=:name");
- $stmt->execute(array(':name' => $name, ':id' => $id));
- $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
- class person {
- public $name;
- public $add;
- function __construct($a,$b) {
- $this->name = $a;
- $this->add = $b;
- }
- }
- $demo = new person('john','29 bla district');
- $stmt = $db->prepare("INSERT INTO table (name, add) value (:name, :add)");
- $stmt->execute((array)$demo);
- <?php
- $stmt = $db->prepare("INSERT INTO folks (name, add) values (?, ?)");
- $stmt->bindValue(1, $name, PDO::PARAM_STR);
- $stmt->bindValue(2, $add, PDO::PARAM_STR);
- $stmt->execute();
- $stmt = $db->prepare("INSERT INTO folks (name, add) values (?, ?)");
- $stmt->execute(array('john', '29 bla district'));
- $stmt = $db->prepare("SELECT * FROM table WHERE id=:id AND name=:name");
- $stmt->execute(array(':name' => $name, ':id' => $id));
- $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
- $stmt = $db->prepare("INSERT INTO table(field1,field2) VALUES(:field1,:field2)");
- $stmt->execute(array(':field1' => $field1, ':field2' => $field2));
- $affected_rows = $stmt->rowCount();
- $stmt = $db->prepare("DELETE FROM table WHERE id=:id");
- $stmt->bindValue(':id', $id, PDO::PARAM_STR);
- $stmt->execute();
- $affected_rows = $stmt->rowCount();
- $stmt = $db->prepare("UPDATE table SET name=? WHERE id=?");
- $stmt->execute(array($name, $id));
- $affected_rows = $stmt->rowCount();
- $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
- $pdo->query('SET NAMES GBK');
- $stmt = $pdo->prepare("SELECT * FROM test WHERE name = ? LIMIT 1");
- $stmt->execute(array(chr(0xbf) . chr(0x27) . " OR 1=1 /*"));
- include_once("pdo_mysql.php");
- pdo_connect("localhost", "usrABC", "pw1234567");
- pdo_select_db("test");
- $result = pdo_query("SELECT title, html FROM pages");
- while ($row = pdo_fetch_assoc($result)) {
- print "$row[title] - $row[html]";
- }
- pdo_query("SELECT id, links, html, title, user, date FROM articles
- WHERE title='" . pdo_real_escape_string($title) . "' OR id='".
- pdo_real_escape_string($title) . "' AND user <> '" .
- pdo_real_escape_string($root) . "' ORDER BY date")
- pdo_query("SELECT id, links, html, title, user, date FROM articles
- WHERE title=? OR id=? AND user<>? ORDER BY date", $title, $id, $root)
- pdo_query("INSERT INTO pages VALUES (?,?,?,?,?)", $_POST);
- function sanitize($str) {
- return trim(strip_tags(htmlentities(pdo_real_escape_string($str))));
- }
- $result = pdo_query("SELECT * FROM tbl");
- while ($row = pdo_fetch_assoc($result)) {
- foreach ($result as $row) {
- $result->fetchAll();
- function paraQuery()
- {
- $args = func_get_args();
- $query = array_shift($args);
- $query = str_replace("%s","'%s'",$query);
- foreach ($args as $key => $val)
- {
- $args[$key] = mysql_real_escape_string($val);
- }
- $query = vsprintf($query, $args);
- $result = mysql_query($query);
- if (!$result)
- {
- throw new Exception(mysql_error()." [$query]");
- }
- return $result;
- }
- $query = "SELECT * FROM table where a=%s AND b LIKE %s LIMIT %d";
- $result = paraQuery($query, $a, "%$b%", $limit);
- $city_ids = array(1,2,3);
- $cities = $db->getCol("SELECT name FROM cities WHERE is IN(?a)", $city_ids);
- $insert = array('name' => 'John', 'surname' => "O'Hara");
- $db->query("INSERT INTO users SET ?u", $insert);
- $data = $db->getAll("SELECT * FROM goods ORDER BY ?n", $_GET['order']);
- mysql> create table users(
- -> id int(2) primary key auto_increment,
- -> userid tinytext,
- -> pass tinytext);
- Query OK, 0 rows affected (0.05 sec)
- mysql> insert into users values(null, 'Fluffeh', 'mypass');
- Query OK, 1 row affected (0.04 sec)
- mysql> create user 'prepared'@'localhost' identified by 'example';
- Query OK, 0 rows affected (0.01 sec)
- mysql> grant all privileges on prep.* to 'prepared'@'localhost' with grant option;
- Query OK, 0 rows affected (0.00 sec)
- <?php
- if(!empty($_POST['user']))
- {
- $user=$_POST['user'];
- }
- else
- {
- $user='bob';
- }
- if(!empty($_POST['pass']))
- {
- $pass=$_POST['pass'];
- }
- else
- {
- $pass='bob';
- }
- $database='prep';
- $link=mysql_connect('localhost', 'prepared', 'example');
- mysql_select_db($database) or die( "Unable to select database");
- $sql="select id, userid, pass from users where userid='$user' and pass='$pass'";
- //echo $sql."<br><br>";
- $result=mysql_query($sql);
- $isAdmin=false;
- while ($row = mysql_fetch_assoc($result)) {
- echo "My id is ".$row['id']." and my username is ".$row['userid']." and lastly, my password is ".$row['pass']."<br>";
- $isAdmin=true;
- // We have correctly matched the Username and Password
- // Lets give this person full access
- }
- if($isAdmin)
- {
- echo "The check passed. We have a verified admin!<br>";
- }
- else
- {
- echo "You could not be verified. Please try again...<br>";
- }
- mysql_close($link);
- ?>
- <form name="exploited" method='post'>
- User: <input type='text' name='user'><br>
- Pass: <input type='text' name='pass'><br>
- <input type='submit'>
- </form>
- user: bob
- pass: somePass
- You could not be verified. Please try again...
- user: Fluffeh
- pass: mypass
- user: bob
- pass: n' or 1=1 or 'm=m
- The check passed. We have a verified admin!
- select id, userid, pass from users where userid='$user' and pass='$pass'
- select id, userid, pass from users where userid='bob' and pass='n' or 1=1 or 'm=m'
- <?php
- if(!empty($_POST['user']))
- {
- $user=$_POST['user'];
- }
- else
- {
- $user='bob';
- }
- if(!empty($_POST['pass']))
- {
- $pass=$_POST['pass'];
- }
- else
- {
- $pass='bob';
- }
- $isAdmin=false;
- $database='prep';
- $pdo=new PDO ('mysql:host=localhost;dbname=prep', 'prepared', 'example');
- $sql="select id, userid, pass from users where userid=:user and pass=:password";
- $myPDO = $pdo->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
- if($myPDO->execute(array(':user' => $user, ':password' => $pass)))
- {
- while($row=$myPDO->fetch(PDO::FETCH_ASSOC))
- {
- echo "My id is ".$row['id']." and my username is ".$row['userid']." and lastly, my password is ".$row['pass']."<br>";
- $isAdmin=true;
- // We have correctly matched the Username and Password
- // Lets give this person full access
- }
- }
- if($isAdmin)
- {
- echo "The check passed. We have a verified admin!<br>";
- }
- else
- {
- echo "You could not be verified. Please try again...<br>";
- }
- ?>
- <form name="exploited" method='post'>
- User: <input type='text' name='user'><br>
- Pass: <input type='text' name='pass'><br>
- <input type='submit'>
- </form>
- user: bob
- pass: somePass
- user: Fluffeh
- pass: mypass
- user: bob
- pass: n' or 1=1 or 'm=m
- You could not be verified. Please try again...
- <?php
- define('MYSQL_LINK', 'dbl');
- $GLOBALS[MYSQL_LINK] = null;
- function mysql_link($link=null) {
- return ($link === null) ? $GLOBALS[MYSQL_LINK] : $link;
- }
- function mysql_connect($host, $user, $pass) {
- $GLOBALS[MYSQL_LINK] = mysqli_connect($host, $user, $pass);
- return $GLOBALS[MYSQL_LINK];
- }
- function mysql_pconnect($host, $user, $pass) {
- return mysql_connect($host, $user, $pass);
- }
- function mysql_select_db($db, $link=null) {
- $link = mysql_link($link);
- return mysqli_select_db($link, $db);
- }
- function mysql_close($link=null) {
- $link = mysql_link($link);
- return mysqli_close($link);
- }
- function mysql_error($link=null) {
- $link = mysql_link($link);
- return mysqli_error($link);
- }
- function mysql_errno($link=null) {
- $link = mysql_link($link);
- return mysqli_errno($link);
- }
- function mysql_ping($link=null) {
- $link = mysql_link($link);
- return mysqli_ping($link);
- }
- function mysql_stat($link=null) {
- $link = mysql_link($link);
- return mysqli_stat($link);
- }
- function mysql_affected_rows($link=null) {
- $link = mysql_link($link);
- return mysqli_affected_rows($link);
- }
- function mysql_client_encoding($link=null) {
- $link = mysql_link($link);
- return mysqli_character_set_name($link);
- }
- function mysql_thread_id($link=null) {
- $link = mysql_link($link);
- return mysqli_thread_id($link);
- }
- function mysql_escape_string($string) {
- return mysql_real_escape_string($string);
- }
- function mysql_real_escape_string($string, $link=null) {
- $link = mysql_link($link);
- return mysqli_real_escape_string($link, $string);
- }
- function mysql_query($sql, $link=null) {
- $link = mysql_link($link);
- return mysqli_query($link, $sql);
- }
- function mysql_unbuffered_query($sql, $link=null) {
- $link = mysql_link($link);
- return mysqli_query($link, $sql, MYSQLI_USE_RESULT);
- }
- function mysql_set_charset($charset, $link=null){
- $link = mysql_link($link);
- return mysqli_set_charset($link, $charset);
- }
- function mysql_get_host_info($link=null) {
- $link = mysql_link($link);
- return mysqli_get_host_info($link);
- }
- function mysql_get_proto_info($link=null) {
- $link = mysql_link($link);
- return mysqli_get_proto_info($link);
- }
- function mysql_get_server_info($link=null) {
- $link = mysql_link($link);
- return mysqli_get_server_info($link);
- }
- function mysql_info($link=null) {
- $link = mysql_link($link);
- return mysqli_info($link);
- }
- function mysql_get_client_info() {
- $link = mysql_link();
- return mysqli_get_client_info($link);
- }
- function mysql_create_db($db, $link=null) {
- $link = mysql_link($link);
- $db = str_replace('`', '', mysqli_real_escape_string($link, $db));
- return mysqli_query($link, "CREATE DATABASE `$db`");
- }
- function mysql_drop_db($db, $link=null) {
- $link = mysql_link($link);
- $db = str_replace('`', '', mysqli_real_escape_string($link, $db));
- return mysqli_query($link, "DROP DATABASE `$db`");
- }
- function mysql_list_dbs($link=null) {
- $link = mysql_link($link);
- return mysqli_query($link, "SHOW DATABASES");
- }
- function mysql_list_fields($db, $table, $link=null) {
- $link = mysql_link($link);
- $db = str_replace('`', '', mysqli_real_escape_string($link, $db));
- $table = str_replace('`', '', mysqli_real_escape_string($link, $table));
- return mysqli_query($link, "SHOW COLUMNS FROM `$db`.`$table`");
- }
- function mysql_list_tables($db, $link=null) {
- $link = mysql_link($link);
- $db = str_replace('`', '', mysqli_real_escape_string($link, $db));
- return mysqli_query($link, "SHOW TABLES FROM `$db`");
- }
- function mysql_db_query($db, $sql, $link=null) {
- $link = mysql_link($link);
- mysqli_select_db($link, $db);
- return mysqli_query($link, $sql);
- }
- function mysql_fetch_row($qlink) {
- return mysqli_fetch_row($qlink);
- }
- function mysql_fetch_assoc($qlink) {
- return mysqli_fetch_assoc($qlink);
- }
- function mysql_fetch_array($qlink, $result=MYSQLI_BOTH) {
- return mysqli_fetch_array($qlink, $result);
- }
- function mysql_fetch_lengths($qlink) {
- return mysqli_fetch_lengths($qlink);
- }
- function mysql_insert_id($qlink) {
- return mysqli_insert_id($qlink);
- }
- function mysql_num_rows($qlink) {
- return mysqli_num_rows($qlink);
- }
- function mysql_num_fields($qlink) {
- return mysqli_num_fields($qlink);
- }
- function mysql_data_seek($qlink, $row) {
- return mysqli_data_seek($qlink, $row);
- }
- function mysql_field_seek($qlink, $offset) {
- return mysqli_field_seek($qlink, $offset);
- }
- function mysql_fetch_object($qlink, $class="stdClass", array $params=null) {
- return ($params === null)
- ? mysqli_fetch_object($qlink, $class)
- : mysqli_fetch_object($qlink, $class, $params);
- }
- function mysql_db_name($qlink, $row, $field='Database') {
- mysqli_data_seek($qlink, $row);
- $db = mysqli_fetch_assoc($qlink);
- return $db[$field];
- }
- function mysql_fetch_field($qlink, $offset=null) {
- if ($offset !== null)
- mysqli_field_seek($qlink, $offset);
- return mysqli_fetch_field($qlink);
- }
- function mysql_result($qlink, $offset, $field=0) {
- if ($offset !== null)
- mysqli_field_seek($qlink, $offset);
- $row = mysqli_fetch_array($qlink);
- return (!is_array($row) || !isset($row[$field]))
- ? false
- : $row[$field];
- }
- function mysql_field_len($qlink, $offset) {
- $field = mysqli_fetch_field_direct($qlink, $offset);
- return is_object($field) ? $field->length : false;
- }
- function mysql_field_name($qlink, $offset) {
- $field = mysqli_fetch_field_direct($qlink, $offset);
- if (!is_object($field))
- return false;
- return empty($field->orgname) ? $field->name : $field->orgname;
- }
- function mysql_field_table($qlink, $offset) {
- $field = mysqli_fetch_field_direct($qlink, $offset);
- if (!is_object($field))
- return false;
- return empty($field->orgtable) ? $field->table : $field->orgtable;
- }
- function mysql_field_type($qlink, $offset) {
- $field = mysqli_fetch_field_direct($qlink, $offset);
- return is_object($field) ? $field->type : false;
- }
- function mysql_free_result($qlink) {
- try {
- mysqli_free_result($qlink);
- } catch (Exception $e) {
- return false;
- }
- return true;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement