Creating a website to test SQL injection

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

marcg11
Forum Newbie
Posts: 10
Joined: Sun Jul 12, 2009 12:14 pm

Creating a website to test SQL injection

Post by marcg11 »

well, I'm desepreatly trying to create a website so I can try the use of SQL injection.

I used MySql server 5.1 to create a database named website and it has a table of members. I've added some random members with their name, password, email, etc. What I want to do now is create with PHP a SIMPLE website with its login and password. What I don't know is how can I connect to my sql I just did. Do I have to export my database to a .sql file? I don't have any host to upload the files, can I try it in my own PC? How? How would mysql_connect() be?
User avatar
Skara
Forum Regular
Posts: 703
Joined: Sat Mar 12, 2005 7:13 pm
Location: US

Re: Creating a website to test SQL injection

Post by Skara »

wow, where to start.
well, I'm desepreatly trying to create a website so I can try the use of SQL injection.
You're confused as to what "sql injection" means. SQL Injection is bad. It means someone can inject something that you don't want to be added to your database.
You're simply asking how to use mysql commands in php.
I used MySql server 5.1 to create a database named website and it has a table of members. I've added some random members with their name, password, email, etc. What I want to do now is create with PHP a SIMPLE website with its login and password. What I don't know is how can I connect to my sql I just did.
Do I have to export my database to a .sql file?
no.
I don't have any host to upload the files,
If you don't have a host to upload the files, then you did NOT "used MySql server 5.1 to create a database..." MySQL servers are on hosts. If you installed mysql on your computer..... you skipped a few steps. You forgot to install the actual web server part, which comes first. If you're really new at this, get rid of what you installed completely and start over with wamp.
How? How would mysql_connect() be?
mysql_connect()

Code: Select all

mysql_connect(host, username, password);
//example usage:
mysql_connect('localhost','somename','blahdeblah');
mysql_select_db('your_database');
mysql_query("INSERT INTO `table_name` VALUES('1','abc','def');");
$res = mysql_query("SELECT * FROM `table_name` WHERE `row_name` > 4 LIMIT 2;");
while ($row = mysql_fetch_assoc($res)) {
    print_r($row);
}
mysql_close();
marcg11
Forum Newbie
Posts: 10
Joined: Sun Jul 12, 2009 12:14 pm

Re: Creating a website to test SQL injection

Post by marcg11 »

Well.. yeah I'm a complete noob. Thanks for answering. I want to do what this guy does in this tutorial:

http://blogs.iis.net/nazim/archive/2008 ... -demo.aspx

But if it's possible, not in AJAX, but in PHP.

But I'm too retarded to follow him because there are some things i really have no idea.

So the database i created with MySql using MySQL command line client is useless?

I know SQL injection is bad, a way to hack, etc. But I'm doing a research for school of sql injection.

So what do you think I should do?
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Creating a website to test SQL injection

Post by jackpf »

No, you're database is not useless.

Just look up an online tutorial about php and mysql functions. Like this
User avatar
Skara
Forum Regular
Posts: 703
Joined: Sat Mar 12, 2005 7:13 pm
Location: US

Re: Creating a website to test SQL injection

Post by Skara »

jackpf wrote:No, you're database is not useless.
It is if he has no server software or php installed. The way I understand him is that he has nothing by the MySQL server installed. If that's the case, then it is completely useless as it does nothing by itself.

If you haven't worked at all with php and/or mysql, then let me be clear that there is a big learning gap here. I've worked with php for ~5 years and I'm still learning new things. Learning how to properly store and retrieve data from mysql from scratch is a project. The first step in that project is either to purchase hosting or create your own server. The easiest way to create your own server is using wamp, linked above.
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: Creating a website to test SQL injection

Post by Eric! »

marcg11 wrote:I want to do what this guy does in this tutorial:

http://blogs.iis.net/nazim/archive/2008 ... -demo.aspx

But I'm too retarded to follow him because there are some things i really have no idea.

So what do you think I should do?
All this guy is doing is showing you what NOT to do. Your first step is to buy "mysql and php for dummies" It will help you get set up and teach you the basics. Then you can go from there to hacking your own database with SQLi attacks.

marcg11 might actually be asking us how to use php for sqli on others, but just doesn't know what to ask...
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Creating a website to test SQL injection

Post by jackpf »

Skara wrote:
jackpf wrote:No, you're database is not useless.
It is if he has no server software or php installed. The way I understand him is that he has nothing by the MySQL server installed. If that's the case, then it is completely useless as it does nothing by itself.

If you haven't worked at all with php and/or mysql, then let me be clear that there is a big learning gap here. I've worked with php for ~5 years and I'm still learning new things. Learning how to properly store and retrieve data from mysql from scratch is a project. The first step in that project is either to purchase hosting or create your own server. The easiest way to create your own server is using wamp, linked above.
Oh, I completely misunderstood then lol.
marcg11
Forum Newbie
Posts: 10
Joined: Sun Jul 12, 2009 12:14 pm

Re: Creating a website to test SQL injection

Post by marcg11 »

So with Wamp, will I be able to do what the sql injection demo says?
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Creating a website to test SQL injection

Post by jackpf »

No, that tutorial is for ASP.NET.
marcg11
Forum Newbie
Posts: 10
Joined: Sun Jul 12, 2009 12:14 pm

Re: Creating a website to test SQL injection

Post by marcg11 »

I've looked through the internet and I found some examples of a simple login demonstration using PHP and MySQL, for example:

http://www.thedemosite.co.uk/demo-code.zip

But I don't know how to set it up. The readme says I have to change config.php, to connect to the database. But how can I create (well i know how to create with MySQL a database) one and upload it to a server?

I have more examples of demo logins, but I don't know what am I supose to do, how to connect PHP and SQL.

Thanks in advance.
Last edited by marcg11 on Thu Jul 16, 2009 4:37 pm, edited 1 time in total.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Creating a website to test SQL injection

Post by jackpf »

This might be a better tutorial. Worked for me.
marcg11
Forum Newbie
Posts: 10
Joined: Sun Jul 12, 2009 12:14 pm

Re: Creating a website to test SQL injection

Post by marcg11 »

jackpf wrote:This might be a better tutorial. Worked for me.

Thanks, I'll have it a look.
DaiLaughing
Forum Commoner
Posts: 76
Joined: Thu Jul 16, 2009 8:03 am

Re: Creating a website to test SQL injection

Post by DaiLaughing »

Tizag is excellent but I think it moves to fast for many so have created my own attempt and taken a total noob to creating half-decent sites. It's not there to compete but to get people started so they can move on to Tizag after. Give it a look if you find Tizag too heavy.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Creating a website to test SQL injection

Post by jackpf »

I thought tizag was pretty well paced tbh.

But yeah, nice site.
marcg11
Forum Newbie
Posts: 10
Joined: Sun Jul 12, 2009 12:14 pm

Re: Creating a website to test SQL injection

Post by marcg11 »

I downloaded WampServer2 but when I open it it gives me an error:

"The application has failed to start because php5.dll wasnot found. Re-installing the app may solve..."

I 've re-installed but nothing.

EDIT: I've overwrite the binary PHP 5.3 files to the bin/php folder in wamp and no error. But know the php errors don't show up, wierd thing.
Post Reply