API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 11th, 2017
83
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 15.49 KB | None | 0 0
raw download clone embed print report
  1. error_reporting = E_ALL ^ E_DEPRECATED
  2.  
  3. $link = mysql_connect('localhost', 'user', 'pass');
  4. mysql_select_db('testdb', $link);
  5. mysql_set_charset('UTF-8', $link);
  6.  
  7. $db = new PDO('mysql:host=localhost;dbname=testdb;charset=utf8', 'username', 'password');
  8.  
  9. $db = new PDO('mysql:host=localhost;dbname=testdb;charset=UTF-8',
  10. 'username',
  11. 'password',
  12. array(PDO::ATTR_EMULATE_PREPARES => false,
  13. PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
  14.  
  15. $db = new PDO('mysql:host=localhost;dbname=testdb;charset=UTF-8',
  16. 'username',
  17. 'password');
  18. $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
  19. $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
  20.  
  21. //Connected to MySQL
  22. $result = mysql_query("SELECT * FROM table", $link) or die(mysql_error($link));
  23.  
  24. $stmt->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_SILENT );
  25. $stmt->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING );
  26. $stmt->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
  27.  
  28. try {
  29. //Connect as appropriate as above
  30. $db->query('hi'); //Invalid query!
  31. }
  32. catch (PDOException $ex) {
  33. echo "An Error occured!"; //User friendly message/message you want to show to user
  34. some_logging_function($ex->getMessage());
  35. }
  36.  
  37. function data_fun($db) {
  38. $stmt = $db->query("SELECT * FROM table");
  39. return $stmt->fetchAll(PDO::FETCH_ASSOC);
  40. }
  41.  
  42. //Then later
  43. try {
  44. data_fun($db);
  45. }
  46. catch(PDOException $ex) {
  47. //Here you can handle error and show message/perform action you want.
  48. }
  49.  
  50. <?php
  51. $result = mysql_query('SELECT * from table') or die(mysql_error());
  52.  
  53. $num_rows = mysql_num_rows($result);
  54.  
  55. while($row = mysql_fetch_assoc($result)) {
  56. echo $row['field1'];
  57. }
  58.  
  59. <?php
  60. $stmt = $db->query('SELECT * FROM table');
  61.  
  62. while($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
  63. echo $row['field1'];
  64. }
  65.  
  66. <?php
  67. $stmt = $db->query('SELECT * FROM table');
  68. $results = $stmt->fetchAll(PDO::FETCH_ASSOC);
  69.  
  70. //Use $results
  71.  
  72. <?php
  73. foreach($db->query('SELECT * FROM table') as $row) {
  74. echo $row['field1'];
  75. }
  76.  
  77. $stmt->fetch(PDO::FETCH_ASSOC)
  78.  
  79. <?php
  80. $stmt = $db->query('SELECT * FROM table');
  81. $row_count = $stmt->rowCount();
  82. echo $row_count.' rows selected';
  83.  
  84. <?php
  85. $result = $db->exec("INSERT INTO table(firstname, lastname) VAULES('John', 'Doe')");
  86. $insertId = $db->lastInsertId();
  87.  
  88. <?php
  89. $results = mysql_query("UPDATE table SET field='value'") or die(mysql_error());
  90. echo mysql_affected_rows($result);
  91.  
  92. <?php
  93. $affected_rows = $db->exec("UPDATE table SET field='value'");
  94. echo $affected_rows;
  95.  
  96. $stmt->bindParam(':bla', $bla);
  97.  
  98. <?php
  99. $stmt = $db->prepare("SELECT * FROM table WHERE id=:id AND name=:name");
  100. $stmt->execute(array(':name' => $name, ':id' => $id));
  101. $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
  102.  
  103. class person {
  104. public $name;
  105. public $add;
  106. function __construct($a,$b) {
  107. $this->name = $a;
  108. $this->add = $b;
  109. }
  110.  
  111. }
  112. $demo = new person('john','29 bla district');
  113. $stmt = $db->prepare("INSERT INTO table (name, add) value (:name, :add)");
  114. $stmt->execute((array)$demo);
  115.  
  116. <?php
  117. $stmt = $db->prepare("INSERT INTO folks (name, add) values (?, ?)");
  118. $stmt->bindValue(1, $name, PDO::PARAM_STR);
  119. $stmt->bindValue(2, $add, PDO::PARAM_STR);
  120. $stmt->execute();
  121.  
  122. $stmt = $db->prepare("INSERT INTO folks (name, add) values (?, ?)");
  123. $stmt->execute(array('john', '29 bla district'));
  124.  
  125. $stmt = $db->prepare("SELECT * FROM table WHERE id=:id AND name=:name");
  126. $stmt->execute(array(':name' => $name, ':id' => $id));
  127. $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
  128.  
  129. $stmt = $db->prepare("INSERT INTO table(field1,field2) VALUES(:field1,:field2)");
  130. $stmt->execute(array(':field1' => $field1, ':field2' => $field2));
  131. $affected_rows = $stmt->rowCount();
  132.  
  133. $stmt = $db->prepare("DELETE FROM table WHERE id=:id");
  134. $stmt->bindValue(':id', $id, PDO::PARAM_STR);
  135. $stmt->execute();
  136. $affected_rows = $stmt->rowCount();
  137.  
  138. $stmt = $db->prepare("UPDATE table SET name=? WHERE id=?");
  139. $stmt->execute(array($name, $id));
  140. $affected_rows = $stmt->rowCount();
  141.  
  142. $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
  143. $pdo->query('SET NAMES GBK');
  144. $stmt = $pdo->prepare("SELECT * FROM test WHERE name = ? LIMIT 1");
  145. $stmt->execute(array(chr(0xbf) . chr(0x27) . " OR 1=1 /*"));
  146.  
  147. include_once("pdo_mysql.php");
  148.  
  149. pdo_connect("localhost", "usrABC", "pw1234567");
  150. pdo_select_db("test");
  151.  
  152. $result = pdo_query("SELECT title, html FROM pages");
  153.  
  154. while ($row = pdo_fetch_assoc($result)) {
  155. print "$row[title] - $row[html]";
  156. }
  157.  
  158. pdo_query("SELECT id, links, html, title, user, date FROM articles
  159. WHERE title='" . pdo_real_escape_string($title) . "' OR id='".
  160. pdo_real_escape_string($title) . "' AND user <> '" .
  161. pdo_real_escape_string($root) . "' ORDER BY date")
  162.  
  163. pdo_query("SELECT id, links, html, title, user, date FROM articles
  164. WHERE title=? OR id=? AND user<>? ORDER BY date", $title, $id, $root)
  165.  
  166. pdo_query("INSERT INTO pages VALUES (?,?,?,?,?)", $_POST);
  167.  
  168. function sanitize($str) {
  169. return trim(strip_tags(htmlentities(pdo_real_escape_string($str))));
  170. }
  171.  
  172. $result = pdo_query("SELECT * FROM tbl");
  173. while ($row = pdo_fetch_assoc($result)) {
  174.  
  175. foreach ($result as $row) {
  176.  
  177. $result->fetchAll();
  178.  
  179. function paraQuery()
  180. {
  181. $args = func_get_args();
  182. $query = array_shift($args);
  183. $query = str_replace("%s","'%s'",$query);
  184.  
  185. foreach ($args as $key => $val)
  186. {
  187. $args[$key] = mysql_real_escape_string($val);
  188. }
  189.  
  190. $query = vsprintf($query, $args);
  191. $result = mysql_query($query);
  192. if (!$result)
  193. {
  194. throw new Exception(mysql_error()." [$query]");
  195. }
  196. return $result;
  197. }
  198.  
  199. $query = "SELECT * FROM table where a=%s AND b LIKE %s LIMIT %d";
  200. $result = paraQuery($query, $a, "%$b%", $limit);
  201.  
  202. $city_ids = array(1,2,3);
  203. $cities = $db->getCol("SELECT name FROM cities WHERE is IN(?a)", $city_ids);
  204.  
  205. $insert = array('name' => 'John', 'surname' => "O'Hara");
  206. $db->query("INSERT INTO users SET ?u", $insert);
  207.  
  208. $data = $db->getAll("SELECT * FROM goods ORDER BY ?n", $_GET['order']);
  209.  
  210. mysql> create table users(
  211. -> id int(2) primary key auto_increment,
  212. -> userid tinytext,
  213. -> pass tinytext);
  214. Query OK, 0 rows affected (0.05 sec)
  215.  
  216. mysql> insert into users values(null, 'Fluffeh', 'mypass');
  217. Query OK, 1 row affected (0.04 sec)
  218.  
  219. mysql> create user 'prepared'@'localhost' identified by 'example';
  220. Query OK, 0 rows affected (0.01 sec)
  221.  
  222. mysql> grant all privileges on prep.* to 'prepared'@'localhost' with grant option;
  223. Query OK, 0 rows affected (0.00 sec)
  224.  
  225. <?php
  226.  
  227. if(!empty($_POST['user']))
  228. {
  229. $user=$_POST['user'];
  230. }
  231. else
  232. {
  233. $user='bob';
  234. }
  235. if(!empty($_POST['pass']))
  236. {
  237. $pass=$_POST['pass'];
  238. }
  239. else
  240. {
  241. $pass='bob';
  242. }
  243.  
  244. $database='prep';
  245. $link=mysql_connect('localhost', 'prepared', 'example');
  246. mysql_select_db($database) or die( "Unable to select database");
  247.  
  248. $sql="select id, userid, pass from users where userid='$user' and pass='$pass'";
  249. //echo $sql."<br><br>";
  250. $result=mysql_query($sql);
  251. $isAdmin=false;
  252. while ($row = mysql_fetch_assoc($result)) {
  253. echo "My id is ".$row['id']." and my username is ".$row['userid']." and lastly, my password is ".$row['pass']."<br>";
  254. $isAdmin=true;
  255. // We have correctly matched the Username and Password
  256. // Lets give this person full access
  257. }
  258. if($isAdmin)
  259. {
  260. echo "The check passed. We have a verified admin!<br>";
  261. }
  262. else
  263. {
  264. echo "You could not be verified. Please try again...<br>";
  265. }
  266. mysql_close($link);
  267.  
  268. ?>
  269.  
  270. <form name="exploited" method='post'>
  271. User: <input type='text' name='user'><br>
  272. Pass: <input type='text' name='pass'><br>
  273. <input type='submit'>
  274. </form>
  275.  
  276. user: bob
  277. pass: somePass
  278.  
  279. You could not be verified. Please try again...
  280.  
  281. user: Fluffeh
  282. pass: mypass
  283.  
  284. user: bob
  285. pass: n' or 1=1 or 'm=m
  286.  
  287. The check passed. We have a verified admin!
  288.  
  289. select id, userid, pass from users where userid='$user' and pass='$pass'
  290.  
  291. select id, userid, pass from users where userid='bob' and pass='n' or 1=1 or 'm=m'
  292.  
  293. <?php
  294.  
  295. if(!empty($_POST['user']))
  296. {
  297. $user=$_POST['user'];
  298. }
  299. else
  300. {
  301. $user='bob';
  302. }
  303. if(!empty($_POST['pass']))
  304. {
  305. $pass=$_POST['pass'];
  306. }
  307. else
  308. {
  309. $pass='bob';
  310. }
  311. $isAdmin=false;
  312.  
  313. $database='prep';
  314. $pdo=new PDO ('mysql:host=localhost;dbname=prep', 'prepared', 'example');
  315. $sql="select id, userid, pass from users where userid=:user and pass=:password";
  316. $myPDO = $pdo->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
  317. if($myPDO->execute(array(':user' => $user, ':password' => $pass)))
  318. {
  319. while($row=$myPDO->fetch(PDO::FETCH_ASSOC))
  320. {
  321. echo "My id is ".$row['id']." and my username is ".$row['userid']." and lastly, my password is ".$row['pass']."<br>";
  322. $isAdmin=true;
  323. // We have correctly matched the Username and Password
  324. // Lets give this person full access
  325. }
  326. }
  327.  
  328. if($isAdmin)
  329. {
  330. echo "The check passed. We have a verified admin!<br>";
  331. }
  332. else
  333. {
  334. echo "You could not be verified. Please try again...<br>";
  335. }
  336.  
  337. ?>
  338.  
  339. <form name="exploited" method='post'>
  340. User: <input type='text' name='user'><br>
  341. Pass: <input type='text' name='pass'><br>
  342. <input type='submit'>
  343. </form>
  344.  
  345. user: bob
  346. pass: somePass
  347.  
  348. user: Fluffeh
  349. pass: mypass
  350.  
  351. user: bob
  352. pass: n' or 1=1 or 'm=m
  353.  
  354. You could not be verified. Please try again...
  355.  
  356. <?php
  357.  
  358. define('MYSQL_LINK', 'dbl');
  359. $GLOBALS[MYSQL_LINK] = null;
  360.  
  361. function mysql_link($link=null) {
  362. return ($link === null) ? $GLOBALS[MYSQL_LINK] : $link;
  363. }
  364.  
  365. function mysql_connect($host, $user, $pass) {
  366. $GLOBALS[MYSQL_LINK] = mysqli_connect($host, $user, $pass);
  367. return $GLOBALS[MYSQL_LINK];
  368. }
  369.  
  370. function mysql_pconnect($host, $user, $pass) {
  371. return mysql_connect($host, $user, $pass);
  372. }
  373.  
  374. function mysql_select_db($db, $link=null) {
  375. $link = mysql_link($link);
  376. return mysqli_select_db($link, $db);
  377. }
  378.  
  379. function mysql_close($link=null) {
  380. $link = mysql_link($link);
  381. return mysqli_close($link);
  382. }
  383.  
  384. function mysql_error($link=null) {
  385. $link = mysql_link($link);
  386. return mysqli_error($link);
  387. }
  388.  
  389. function mysql_errno($link=null) {
  390. $link = mysql_link($link);
  391. return mysqli_errno($link);
  392. }
  393.  
  394. function mysql_ping($link=null) {
  395. $link = mysql_link($link);
  396. return mysqli_ping($link);
  397. }
  398.  
  399. function mysql_stat($link=null) {
  400. $link = mysql_link($link);
  401. return mysqli_stat($link);
  402. }
  403.  
  404. function mysql_affected_rows($link=null) {
  405. $link = mysql_link($link);
  406. return mysqli_affected_rows($link);
  407. }
  408.  
  409. function mysql_client_encoding($link=null) {
  410. $link = mysql_link($link);
  411. return mysqli_character_set_name($link);
  412. }
  413.  
  414. function mysql_thread_id($link=null) {
  415. $link = mysql_link($link);
  416. return mysqli_thread_id($link);
  417. }
  418.  
  419. function mysql_escape_string($string) {
  420. return mysql_real_escape_string($string);
  421. }
  422.  
  423. function mysql_real_escape_string($string, $link=null) {
  424. $link = mysql_link($link);
  425. return mysqli_real_escape_string($link, $string);
  426. }
  427.  
  428. function mysql_query($sql, $link=null) {
  429. $link = mysql_link($link);
  430. return mysqli_query($link, $sql);
  431. }
  432.  
  433. function mysql_unbuffered_query($sql, $link=null) {
  434. $link = mysql_link($link);
  435. return mysqli_query($link, $sql, MYSQLI_USE_RESULT);
  436. }
  437.  
  438. function mysql_set_charset($charset, $link=null){
  439. $link = mysql_link($link);
  440. return mysqli_set_charset($link, $charset);
  441. }
  442.  
  443. function mysql_get_host_info($link=null) {
  444. $link = mysql_link($link);
  445. return mysqli_get_host_info($link);
  446. }
  447.  
  448. function mysql_get_proto_info($link=null) {
  449. $link = mysql_link($link);
  450. return mysqli_get_proto_info($link);
  451. }
  452. function mysql_get_server_info($link=null) {
  453. $link = mysql_link($link);
  454. return mysqli_get_server_info($link);
  455. }
  456.  
  457. function mysql_info($link=null) {
  458. $link = mysql_link($link);
  459. return mysqli_info($link);
  460. }
  461.  
  462. function mysql_get_client_info() {
  463. $link = mysql_link();
  464. return mysqli_get_client_info($link);
  465. }
  466.  
  467. function mysql_create_db($db, $link=null) {
  468. $link = mysql_link($link);
  469. $db = str_replace('`', '', mysqli_real_escape_string($link, $db));
  470. return mysqli_query($link, "CREATE DATABASE `$db`");
  471. }
  472.  
  473. function mysql_drop_db($db, $link=null) {
  474. $link = mysql_link($link);
  475. $db = str_replace('`', '', mysqli_real_escape_string($link, $db));
  476. return mysqli_query($link, "DROP DATABASE `$db`");
  477. }
  478.  
  479. function mysql_list_dbs($link=null) {
  480. $link = mysql_link($link);
  481. return mysqli_query($link, "SHOW DATABASES");
  482. }
  483.  
  484. function mysql_list_fields($db, $table, $link=null) {
  485. $link = mysql_link($link);
  486. $db = str_replace('`', '', mysqli_real_escape_string($link, $db));
  487. $table = str_replace('`', '', mysqli_real_escape_string($link, $table));
  488. return mysqli_query($link, "SHOW COLUMNS FROM `$db`.`$table`");
  489. }
  490.  
  491. function mysql_list_tables($db, $link=null) {
  492. $link = mysql_link($link);
  493. $db = str_replace('`', '', mysqli_real_escape_string($link, $db));
  494. return mysqli_query($link, "SHOW TABLES FROM `$db`");
  495. }
  496.  
  497. function mysql_db_query($db, $sql, $link=null) {
  498. $link = mysql_link($link);
  499. mysqli_select_db($link, $db);
  500. return mysqli_query($link, $sql);
  501. }
  502.  
  503. function mysql_fetch_row($qlink) {
  504. return mysqli_fetch_row($qlink);
  505. }
  506.  
  507. function mysql_fetch_assoc($qlink) {
  508. return mysqli_fetch_assoc($qlink);
  509. }
  510.  
  511. function mysql_fetch_array($qlink, $result=MYSQLI_BOTH) {
  512. return mysqli_fetch_array($qlink, $result);
  513. }
  514.  
  515. function mysql_fetch_lengths($qlink) {
  516. return mysqli_fetch_lengths($qlink);
  517. }
  518.  
  519. function mysql_insert_id($qlink) {
  520. return mysqli_insert_id($qlink);
  521. }
  522.  
  523. function mysql_num_rows($qlink) {
  524. return mysqli_num_rows($qlink);
  525. }
  526.  
  527. function mysql_num_fields($qlink) {
  528. return mysqli_num_fields($qlink);
  529. }
  530.  
  531. function mysql_data_seek($qlink, $row) {
  532. return mysqli_data_seek($qlink, $row);
  533. }
  534.  
  535. function mysql_field_seek($qlink, $offset) {
  536. return mysqli_field_seek($qlink, $offset);
  537. }
  538.  
  539. function mysql_fetch_object($qlink, $class="stdClass", array $params=null) {
  540. return ($params === null)
  541. ? mysqli_fetch_object($qlink, $class)
  542. : mysqli_fetch_object($qlink, $class, $params);
  543. }
  544.  
  545. function mysql_db_name($qlink, $row, $field='Database') {
  546. mysqli_data_seek($qlink, $row);
  547. $db = mysqli_fetch_assoc($qlink);
  548. return $db[$field];
  549. }
  550.  
  551. function mysql_fetch_field($qlink, $offset=null) {
  552. if ($offset !== null)
  553. mysqli_field_seek($qlink, $offset);
  554. return mysqli_fetch_field($qlink);
  555. }
  556.  
  557. function mysql_result($qlink, $offset, $field=0) {
  558. if ($offset !== null)
  559. mysqli_field_seek($qlink, $offset);
  560. $row = mysqli_fetch_array($qlink);
  561. return (!is_array($row) || !isset($row[$field]))
  562. ? false
  563. : $row[$field];
  564. }
  565.  
  566. function mysql_field_len($qlink, $offset) {
  567. $field = mysqli_fetch_field_direct($qlink, $offset);
  568. return is_object($field) ? $field->length : false;
  569. }
  570.  
  571. function mysql_field_name($qlink, $offset) {
  572. $field = mysqli_fetch_field_direct($qlink, $offset);
  573. if (!is_object($field))
  574. return false;
  575. return empty($field->orgname) ? $field->name : $field->orgname;
  576. }
  577.  
  578. function mysql_field_table($qlink, $offset) {
  579. $field = mysqli_fetch_field_direct($qlink, $offset);
  580. if (!is_object($field))
  581. return false;
  582. return empty($field->orgtable) ? $field->table : $field->orgtable;
  583. }
  584.  
  585. function mysql_field_type($qlink, $offset) {
  586. $field = mysqli_fetch_field_direct($qlink, $offset);
  587. return is_object($field) ? $field->type : false;
  588. }
  589.  
  590. function mysql_free_result($qlink) {
  591. try {
  592. mysqli_free_result($qlink);
  593. } catch (Exception $e) {
  594. return false;
  595. }
  596. return true;
  597. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!