API tools faq
paste
Guest User

Untitled

a guest
Feb 22nd, 2018
265
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.12 KB | None | 0 0
raw download clone embed print report
  1. INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')
  2.  
  3. // Value whitelist
  4. // $dir can only be 'DESC' otherwise it will be 'ASC'
  5. if (empty($dir) || $dir !== 'DESC') {
  6. $dir = 'ASC';
  7. }
  8.  
  9. //Connect
  10.  
  11. $unsafe_variable = $_POST["user-input"];
  12. $safe_variable = mysql_real_escape_string($unsafe_variable);
  13.  
  14. mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");
  15.  
  16. //Disconnect
  17.  
  18. <?php
  19. $mysqli = new mysqli("server", "username", "password", "database_name");
  20.  
  21. // TODO - Check that connection was successful.
  22.  
  23. $unsafe_variable = $_POST["user-input"];
  24.  
  25. $stmt = $mysqli->prepare("INSERT INTO table (column) VALUES (?)");
  26.  
  27. // TODO check that $stmt creation succeeded
  28.  
  29. // "s" means the database expects a string
  30. $stmt->bind_param("s", $unsafe_variable);
  31.  
  32. $stmt->execute();
  33.  
  34. $stmt->close();
  35.  
  36. $mysqli->close();
  37. ?>
  38.  
  39. $orders = array("name","price","qty"); //field names
  40. $key = array_search($_GET['sort'],$orders)); // see if we have such a name
  41. $orderby = $orders[$key]; //if not, first one will be set automatically. smart enuf :)
  42. $query = "SELECT * FROM `table` ORDER BY $orderby"; //value is safe
  43.  
  44. $stmt = $conn->prepare("INSERT INTO tbl VALUES(:id, :name)");
  45. $stmt->bindValue(':id', $id);
  46. $stmt->bindValue(':name', $name);
  47. $stmt->execute();
  48.  
  49. SELECT password FROM users WHERE name = 'root'
  50.  
  51. SELECT password FROM users WHERE name = 0x726f6f74
  52.  
  53. SELECT password FROM users WHERE name = UNHEX('726f6f74')
  54.  
  55. "SELECT title FROM article WHERE id = " . mysql_real_escape_string($_GET["id"])
  56.  
  57. $name_bad = "' OR 1'";
  58.  
  59. $name_bad = mysql_real_escape_string($name_bad);
  60.  
  61. $query_bad = "SELECT * FROM customers WHERE username = '$name_bad'";
  62. echo "Escaped Bad Injection: <br />" . $query_bad . "<br />";
  63.  
  64.  
  65. $name_evil = "'; DELETE FROM customers WHERE 1 or username = '";
  66.  
  67. $name_evil = mysql_real_escape_string($name_evil);
  68.  
  69. $query_evil = "SELECT * FROM customers WHERE username = '$name_evil'";
  70. echo "Escaped Evil Injection: <br />" . $query_evil;
  71.  
  72. $safe_variable = mysql_real_escape_string($_POST["user-input"]);
  73. mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");
  74.  
  75. $offset = isset($_GET['o']) ? $_GET['o'] : 0;
  76. $offset = mysql_real_escape_string($offset);
  77. RunQuery("SELECT userid, username FROM sql_injection_test LIMIT $offset, 10");
  78.  
  79. $order = isset($_GET['o']) ? $_GET['o'] : 'userid';
  80. $order = mysql_real_escape_string($order);
  81. RunQuery("SELECT userid, username FROM sql_injection_test ORDER BY `$order`");
  82.  
  83. $query="select * from users where email='".$_POST['email']."' and password='".$_POST['password']."' ";
  84.  
  85. $_POST['email']= admin@emali.com' OR '1=1
  86.  
  87. $query="select * from users where email='admin@emali.com' OR '1=1';
  88.  
  89. $request = $pdoConnection->("INSERT INTO parents (name, addr, city) values ($name, $addr, $city)");
  90.  
  91. $request = $pdoConnection->("INSERT INTO parents (name, addr, city) values (?, ?, ?);
  92.  
  93. $request = $pdoConnection->("INSERT INTO parents (name, addr, city) value (:name, :addr, :city)");
  94.  
  95. $request = $mysqliConnection->prepare('
  96. SELECT * FROM trainers
  97. WHERE name = ?
  98. AND email = ?
  99. AND last_login > ?');
  100.  
  101. $query->bind_param('first_param', 'second_param', $mail, time() - 3600);
  102. $query->execute();
  103.  
  104. $unsafe_variable = $_POST['user_id'];
  105.  
  106. $safe_variable = (int)$unsafe_variable ;
  107.  
  108. mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");
  109.  
  110. SELECT * FROM users WHERE name = '".mysql_escape_string($name_from_html_form)."'
  111.  
  112. wHERE 1=1 or LIMIT 1
  113.  
  114. SELECT * FROM users WHERE name = '".mysql_escape_string($name_from_html_form)."' LIMIT 1
  115.  
  116. $count = DB::column('SELECT COUNT(*) FROM `user`);
  117.  
  118. $pairs = DB::pairs('SELECT `id`, `username` FROM `user`);
  119.  
  120. $user = DB::row('SELECT * FROM `user` WHERE `id` = ?', array($user_id));
  121.  
  122. $banned_users = DB::fetch('SELECT * FROM `user` WHERE `banned` = ?', array(TRUE));
  123.  
  124. $mysqli = new mysqli( 'host', 'user', 'password', 'database' );
  125. $mysqli->set_charset( 'charset');
  126.  
  127. $string = $mysqli->real_escape_string( $string );
  128. $mysqli->query( "INSERT INTO table (column) VALUES ('$string')" );
  129.  
  130. $stmt = $mysqli->prepare( "INSERT INTO table ( column1, column2 ) VALUES (?,?)" );
  131.  
  132. $stmt->bind_param( "is", $integer, $string );
  133.  
  134. $stmt->execute();
  135.  
  136. $string = "x' OR name LIKE '%John%";
  137. $integer = '5 OR id != 0';
  138.  
  139. $query = sprintf( "SELECT id, email, pass, name FROM members WHERE email ='%s' AND id = %d", $mysqli->real_escape_string( $string ), $integer );
  140.  
  141. echo $query;
  142. // SELECT id, email, pass, name FROM members WHERE email ='x' OR name LIKE '%John%' AND id = 5
  143.  
  144. $integer = '99999999999999999999';
  145. $query = sprintf( "SELECT id, email, pass, name FROM members WHERE email ='%s' AND id = %d", $mysqli->real_escape_string( $string ), $integer );
  146.  
  147. echo $query;
  148. // SELECT id, email, pass, name FROM members WHERE email ='x' OR name LIKE '%John%' AND id = 2147483647
  149.  
  150. string mysqli_real_escape_string ( mysqli $link , string $escapestr )
  151.  
  152. $iId = $mysqli->real_escape_string("1 OR 1=1");
  153. $mysqli->query("SELECT * FROM table WHERE id = $iId");
  154.  
  155. GRANT SELECT, INSERT, DELETE ON database TO username@'localhost' IDENTIFIED BY 'password';
  156.  
  157. FLUSH PRIVILEGES;
  158.  
  159. select * from mysql.user where User='username';
  160.  
  161. [1] UNION SELECT IF(SUBSTRING(Password,1,1)='2',BENCHMARK(100000,SHA1(1)),0) User,Password FROM mysql.user WHERE User = 'root'
  162.  
  163. $user = "''1''"; //Malicious keyword
  164. $sql = 'SELECT * FROM awa_user WHERE userame =:username';
  165. $sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
  166. $sth->execute(array(':username' => $user));
  167.  
  168. 189 Query SELECT * FROM awa_user WHERE userame ='''1'''
  169. 189 Quit
  170.  
  171. $stmt = $mysqli->prepare("SELECT * FROM awa_user WHERE username =?")) {
  172. $stmt->bind_param("s", $user);
  173. $user = "''1''";
  174. $stmt->execute();
  175.  
  176. 188 Prepare SELECT * FROM awa_user WHERE username =?
  177. 188 Execute SELECT * FROM awa_user WHERE username ='''1'''
  178. 188 Quit
  179.  
  180. RewriteCond %{QUERY_STRING} ([0-9]+)=([0-9]+)
  181. RewriteRule ^(.*) ^/track.php
  182.  
  183. $conn = oci_connect($username, $password, $connection_string);
  184. $stmt = oci_parse($conn, 'UPDATE table SET field = :xx WHERE ID = 123');
  185. oci_bind_by_name($stmt, ':xx', $fieldval);
  186. oci_execute($stmt);
  187.  
  188. $unsafe_variable = mysql_real_escape_string($_POST['user_input']);
  189.  
  190. $unsafe_variable = (is_string($_POST['user_input']) ? $_POST['user_input'] : '');
  191.  
  192. $unsafe_variable = (is_numeric($_POST['user_input']) ? $_POST['user_input'] : '');
  193.  
  194. $user = ORM::for_table('user')
  195. ->where_equal('username', 'j4mie')
  196. ->find_one();
  197.  
  198. $user->first_name = 'Jamie';
  199. $user->save();
  200.  
  201. $tweets = ORM::for_table('tweet')
  202. ->select('tweet.*')
  203. ->join('user', array(
  204. 'user.id', '=', 'tweet.user_id'
  205. ))
  206. ->where_equal('user.username', 'j4mie')
  207. ->find_many();
  208.  
  209. foreach ($tweets as $tweet) {
  210. echo $tweet->text;
  211. }
  212.  
  213. function sqlvprintf($query, $args)
  214. {
  215. global $DB_LINK;
  216. $ctr = 0;
  217. ensureConnection(); // Connect to database if not connected already.
  218. $values = array();
  219. foreach ($args as $value)
  220. {
  221. if (is_string($value))
  222. {
  223. $value = "'" . mysqli_real_escape_string($DB_LINK, $value) . "'";
  224. }
  225. else if (is_null($value))
  226. {
  227. $value = 'NULL';
  228. }
  229. else if (!is_int($value) && !is_float($value))
  230. {
  231. die('Only numeric, string, array and NULL arguments allowed in a query. Argument '.($ctr+1).' is not a basic type, it's type is '. gettype($value). '.');
  232. }
  233. $values[] = $value;
  234. $ctr++;
  235. }
  236. $query = preg_replace_callback(
  237. '/{(\d+)}/',
  238. function($match) use ($values)
  239. {
  240. if (isset($values[$match[1]]))
  241. {
  242. return $values[$match[1]];
  243. }
  244. else
  245. {
  246. return $match[0];
  247. }
  248. },
  249. $query
  250. );
  251. return $query;
  252. }
  253.  
  254. function runEscapedQuery($preparedQuery /*, ...*/)
  255. {
  256. $params = array_slice(func_get_args(), 1);
  257. $results = runQuery(sqlvprintf($preparedQuery, $params)); // Run query and fetch results.
  258. return $results;
  259. }
  260.  
  261. runEscapedQuery("INSERT INTO Whatever (id, foo, bar) VALUES ({0}, {1}, {2})", $numericVar, $stringVar1, $stringVar2);
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!