SQL Injection Test

[Muncey]

Basically im making a input in which i need someone to input an sql injection. I thought of just doing a simple  if statement and say if their input is ' or 1=1 -- then it's right but they could also put ' or 2=2 -- and it's still right, or x' or 2=2 -- or hello' or 100000=100000 -- and they would be right yet i dont know how to test to see if the user input a successful sql injection line.

 

I really need help with this, thanks.

[cmgmyr]

Here is a good read: http://www.unixwiz.net/techtips/sql-injection.html

[per1os]

www.php.net/mysql_real_escape_string  before you submit entry for database. It escapes the single quotes so they do not screw up the statements and leave you open for exploitation.

[Muncey]

Sorry i didn't explain it very well. Im fully aware of what sql injection is, how to do it and how to prevent it.

 

Im making a workshop type thing with like levels and one of the questions is give an example of a sql injection... when they input a correct sql injection i need to show one thing and show another if it's wrong.

[per1os]

Ah, check for the single quote and the OR statement and maybe even the equals sign.

 

If it has those chances are it is pretty close. Or use www.php.net/preg_match regular expressions to do the check for you.

[Muncey]

Never thought of that! Thanks a lot, i would also check for the -- which comments out the rest of the query.

[wildteen88]

Here is an example:

<?php

$input = "' R 1=1 --";

$ptn = "/('|\") OR ([0-9]+)=([0-9]+) (\-){2}/i";

preg_match($ptn, $input, $matches);

if($matches[0] == $input)
{
    echo '<tt>' . $input . '</tt><br />Successfull SQL Injection command';
}
else
{
    echo '<tt>' . $input . '</tt><br />Is not an SQL Injection command';
}

?>