Page 1 of 2
Creating a website to test SQL injection
Posted: Sun Jul 12, 2009 12:19 pm
by marcg11
well, I'm desepreatly trying to create a website so I can try the use of SQL injection.
I used MySql server 5.1 to create a database named website and it has a table of members. I've added some random members with their name, password, email, etc. What I want to do now is create with PHP a SIMPLE website with its login and password. What I don't know is how can I connect to my sql I just did. Do I have to export my database to a .sql file? I don't have any host to upload the files, can I try it in my own PC? How? How would mysql_connect() be?
Re: Creating a website to test SQL injection
Posted: Sun Jul 12, 2009 2:16 pm
by Skara
wow, where to start.
well, I'm desepreatly trying to create a website so I can try the use of SQL injection.
You're confused as to what "sql injection" means. SQL Injection is bad. It means someone can inject something that you
don't want to be added to your database.
You're simply asking how to use mysql commands in php.
I used MySql server 5.1 to create a database named website and it has a table of members. I've added some random members with their name, password, email, etc. What I want to do now is create with PHP a SIMPLE website with its login and password. What I don't know is how can I connect to my sql I just did.
Do I have to export my database to a .sql file?
no.
I don't have any host to upload the files,
If you don't have a host to upload the files, then you did NOT "used MySql server 5.1 to create a database..." MySQL servers are on hosts. If you installed mysql on your computer..... you skipped a few steps. You forgot to install the actual web server part, which comes first. If you're really new at this, get rid of what you installed completely and start over with
wamp.
How? How would mysql_connect() be?
mysql_connect()
Code: Select all
mysql_connect(host, username, password);
//example usage:
mysql_connect('localhost','somename','blahdeblah');
mysql_select_db('your_database');
mysql_query("INSERT INTO `table_name` VALUES('1','abc','def');");
$res = mysql_query("SELECT * FROM `table_name` WHERE `row_name` > 4 LIMIT 2;");
while ($row = mysql_fetch_assoc($res)) {
print_r($row);
}
mysql_close();
Re: Creating a website to test SQL injection
Posted: Sun Jul 12, 2009 4:54 pm
by marcg11
Well.. yeah I'm a complete noob. Thanks for answering. I want to do what this guy does in this tutorial:
http://blogs.iis.net/nazim/archive/2008 ... -demo.aspx
But if it's possible, not in AJAX, but in PHP.
But I'm too retarded to follow him because there are some things i really have no idea.
So the database i created with MySql using MySQL command line client is useless?
I know SQL injection is bad, a way to hack, etc. But I'm doing a research for school of sql injection.
So what do you think I should do?
Re: Creating a website to test SQL injection
Posted: Sun Jul 12, 2009 5:16 pm
by jackpf
No, you're database is not useless.
Just look up an online tutorial about php and mysql functions. Like
this
Re: Creating a website to test SQL injection
Posted: Sun Jul 12, 2009 9:13 pm
by Skara
jackpf wrote:No, you're database is not useless.
It is if he has no server software or php installed. The way I understand him is that he has nothing by the MySQL server installed. If that's the case, then it is
completely useless as it does nothing by itself.
If you haven't worked at all with php and/or mysql, then let me be clear that there is a
big learning gap here. I've worked with php for ~5 years and I'm still learning new things. Learning how to properly store and retrieve data from mysql from scratch is a project. The first step in that project is either to purchase hosting or create your own server. The easiest way to create your own server is using wamp, linked above.
Re: Creating a website to test SQL injection
Posted: Mon Jul 13, 2009 12:04 am
by Eric!
All this guy is doing is showing you what
NOT to do. Your first step is to buy "mysql and php for dummies" It will help you get set up and teach you the basics. Then you can go from there to hacking your own database with SQLi attacks.
marcg11 might actually be asking us how to use php for sqli on others, but just doesn't know what to ask...
Re: Creating a website to test SQL injection
Posted: Mon Jul 13, 2009 2:22 am
by jackpf
Skara wrote:jackpf wrote:No, you're database is not useless.
It is if he has no server software or php installed. The way I understand him is that he has nothing by the MySQL server installed. If that's the case, then it is
completely useless as it does nothing by itself.
If you haven't worked at all with php and/or mysql, then let me be clear that there is a
big learning gap here. I've worked with php for ~5 years and I'm still learning new things. Learning how to properly store and retrieve data from mysql from scratch is a project. The first step in that project is either to purchase hosting or create your own server. The easiest way to create your own server is using wamp, linked above.
Oh, I completely misunderstood then lol.
Re: Creating a website to test SQL injection
Posted: Mon Jul 13, 2009 7:55 am
by marcg11
So with Wamp, will I be able to do what the sql injection demo says?
Re: Creating a website to test SQL injection
Posted: Mon Jul 13, 2009 8:55 am
by jackpf
No, that tutorial is for ASP.NET.
Re: Creating a website to test SQL injection
Posted: Thu Jul 16, 2009 4:34 pm
by marcg11
I've looked through the internet and I found some examples of a simple login demonstration using PHP and MySQL, for example:
http://www.thedemosite.co.uk/demo-code.zip
But I don't know how to set it up. The readme says I have to change config.php, to connect to the database. But how can I create (well i know how to create with MySQL a database) one and upload it to a server?
I have more examples of demo logins, but I don't know what am I supose to do, how to connect PHP and SQL.
Thanks in advance.
Re: Creating a website to test SQL injection
Posted: Thu Jul 16, 2009 4:36 pm
by jackpf
This might be a better tutorial. Worked for me.
Re: Creating a website to test SQL injection
Posted: Thu Jul 16, 2009 4:38 pm
by marcg11
jackpf wrote:This might be a better tutorial. Worked for me.
Thanks, I'll have it a look.
Re: Creating a website to test SQL injection
Posted: Fri Jul 17, 2009 12:27 am
by DaiLaughing
Tizag is excellent but I think it moves to fast for many so have created my own attempt and taken a total noob to creating half-decent sites. It's not there to compete but to get people started so they can move on to Tizag after. Give it a look if you find Tizag too heavy.
Re: Creating a website to test SQL injection
Posted: Fri Jul 17, 2009 6:39 am
by jackpf
I thought tizag was pretty well paced tbh.
But yeah, nice site.
Re: Creating a website to test SQL injection
Posted: Fri Jul 17, 2009 8:59 am
by marcg11
I downloaded WampServer2 but when I open it it gives me an error:
"The application has failed to start because php5.dll wasnot found. Re-installing the app may solve..."
I 've re-installed but nothing.
EDIT: I've overwrite the binary PHP 5.3 files to the bin/php folder in wamp and no error. But know the php errors don't show up, wierd thing.