tsilenzio Posted July 24, 2007 Share Posted July 24, 2007 Using php how would i inject a whole .sql file filled with [CREATE tablename( data values and such) and INSERT INTO tablename] into a database using php code? :s Quote Link to comment https://forums.phpfreaks.com/topic/61586-sql-injection/ Share on other sites More sharing options...
The Little Guy Posted July 24, 2007 Share Posted July 24, 2007 you could do it through PHP myAdmin Quote Link to comment https://forums.phpfreaks.com/topic/61586-sql-injection/#findComment-306530 Share on other sites More sharing options...
tsilenzio Posted July 24, 2007 Author Share Posted July 24, 2007 yea i know but i dont want the ppl using my script to have to do it i mean liek what if they dont got phpMyAdmin? thanx though Quote Link to comment https://forums.phpfreaks.com/topic/61586-sql-injection/#findComment-306531 Share on other sites More sharing options...
The Little Guy Posted July 24, 2007 Share Posted July 24, 2007 I guess, in the php you would do this: <textarea name="myField"></textarea> <?php if(mysql_query($_GET['myField'])){ echo 'Query was successful'; }else{ echo 'invalid query'; } ?> Quote Link to comment https://forums.phpfreaks.com/topic/61586-sql-injection/#findComment-306559 Share on other sites More sharing options...
tsilenzio Posted July 25, 2007 Author Share Posted July 25, 2007 Yea but the only problem is that its 2 files not a textarea =/ Quote Link to comment https://forums.phpfreaks.com/topic/61586-sql-injection/#findComment-307299 Share on other sites More sharing options...
soycharliente Posted July 25, 2007 Share Posted July 25, 2007 <textarea><?php include "yoursqlfile.php"; ?></textarea> Quote Link to comment https://forums.phpfreaks.com/topic/61586-sql-injection/#findComment-307302 Share on other sites More sharing options...
per1os Posted July 25, 2007 Share Posted July 25, 2007 www.php.net/file_get_contents ??? Quote Link to comment https://forums.phpfreaks.com/topic/61586-sql-injection/#findComment-307310 Share on other sites More sharing options...
tsilenzio Posted July 25, 2007 Author Share Posted July 25, 2007 Like i was thinking: <?php //code above function injectSQL($filename) global $root_path; $handle = fopen($root_path . 'install/data/' . $filename, "r"); $query = ""; $lines = explode("\n", fread($handle, 1024768)); fclose($handle); foreach($lines as $line) { if(!(strpos($line,"//") == 0) && $line != "") //check for commented lines or blanks { $query .= $line; if(!(strpos($line,";") == false)) { if($filename = "sql_data.sql") { $query = str_replace(array('admin_username', 'admin_password', 'admin_email', 'admin_race', '00000000000000'), array($username, $password, $email, $race, time()), $query); } processQuery($query); //Function that loads the config.php file, connects to DB and processes query $query = ""; } } } } //more code // // Create all needed tables // injectSQL("sql_tables.sql"); // // Load values into new tables // injectSQL("sql_data.sql"); ?> Quote Link to comment https://forums.phpfreaks.com/topic/61586-sql-injection/#findComment-307312 Share on other sites More sharing options...
tsilenzio Posted July 25, 2007 Author Share Posted July 25, 2007 forgot to ask is it possible to do mutiple "CREATE TABLE.." commands in a single query? or does it all have to be seperate for each CREATE? :s Quote Link to comment https://forums.phpfreaks.com/topic/61586-sql-injection/#findComment-307316 Share on other sites More sharing options...
tsilenzio Posted July 25, 2007 Author Share Posted July 25, 2007 yes? maybe? no lol =/ Quote Link to comment https://forums.phpfreaks.com/topic/61586-sql-injection/#findComment-307361 Share on other sites More sharing options...
The Little Guy Posted July 25, 2007 Share Posted July 25, 2007 eval() maybe your looking to do something with this??? Quote Link to comment https://forums.phpfreaks.com/topic/61586-sql-injection/#findComment-307371 Share on other sites More sharing options...
per1os Posted July 25, 2007 Share Posted July 25, 2007 forgot to ask is it possible to do mutiple "CREATE TABLE.." commands in a single query? or does it all have to be seperate for each CREATE? :s Try it and find out, as long as the syntax is right and it has ; after each statement it should be fine. Quote Link to comment https://forums.phpfreaks.com/topic/61586-sql-injection/#findComment-307374 Share on other sites More sharing options...
tsilenzio Posted July 25, 2007 Author Share Posted July 25, 2007 Thannx alot still sint 100% working but ill figure out whats wrong xD Quote Link to comment https://forums.phpfreaks.com/topic/61586-sql-injection/#findComment-307394 Share on other sites More sharing options...
keeB Posted July 25, 2007 Share Posted July 25, 2007 .. You can't have multiple queries in a single mysql call.. What you would need to do is get the file, explode on ";", and then do a foreach calling mysql_query() on each array element. Quote Link to comment https://forums.phpfreaks.com/topic/61586-sql-injection/#findComment-307425 Share on other sites More sharing options...
tsilenzio Posted July 26, 2007 Author Share Posted July 26, 2007 hey thats a good idea isntead of a newline lol then ill just remove any comments.. but wait how will i tell where a comment begins and end? >.> lol im not too good with string functions Quote Link to comment https://forums.phpfreaks.com/topic/61586-sql-injection/#findComment-307552 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.