sql injection in php

Question

my query written in php is:

$sql="SELECT * FROM ".TABLE_PREFIX."login WHERE username ='".$username."' 
      AND password='".$password."'";
$res_id = mysql_query($sql);
$num_rows = mysql_num_rows($res_id);
echo $num_rows;

When i enter a valid user name and password from a form it works ok.

When i input some sql injection code the query output is:

SELECT * FROM form_login WHERE username ='' or '1'='1' AND password='' or '1'='1'

Which is a valid sql statement.But it gives an output(ie number of rows) as 0(zero).

If I write the same output sql statement in the program itself as-

$sql="SELECT * FROM form_login WHERE username ='' or '1'='1' 
   AND password='' or '1'='1'";

it works fine and it gives some result(for eg 3).

How can i get the correct result by inputing the sql injection code?

Answer 1

Try echoing out the SQL statement. It may not be what you think it is, especially if magic_quotes_gpc is enabled.

Answer 2

Or better yet, NEVER CONCATENATE SQL!

Try using the PDO library with prepared sql statements

Values are inherently safe in this mode.

Answer 3

Before using any variable in a query, pass it through mysql_real_escape_string.

Answer 4

You need to enter ' OR 1=1; -- (note that space after -- ) into the username.
After that it doesn't matter what you enter into the password, because it will be commented out.

This will translate into the following SQL statement:

SELECT * FROM form_login WHERE username ='' or 1 = 1; -- AND password= 'whatever'