Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.
simple SQL injection not working...
Hello. I'm trying to understand and learn sql injection so i made my own website with login page and tried simple sql injection (' OR 'x'='x in password box). But it didn't worked. I did some digging and found out that password value wich script recieved from $_POST was with \ (\' OR \'x\'=\'x)
if($_SERVER["REQUEST_METHOD"] == "POST")
{
// username and password sent from Form
$myusername=$_POST['username'];
$mypassword=$_POST['password'];
echo $mypassword;
$sql="SELECT id FROM Users WHERE user='$myusername' and pass='$mypassword'";
$result=mysql_query($sql);
$row=mysql_fetch_array($result);
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1)
{
session_register("myusername");
$_SESSION['login_user']=$myusername;
header("location: welcome.php");
}
else
{
$error="Your Login Name or Password is invalid";
echo $error;
}
}```
I cannot understand from where does '\' come??? :angry:
Magic Quotes could be causing this.
Well, magic quotes has been deprecated since 5.3.0, so I would hope that means it's disabled by default. I'm guessing you're not running this on your own machine, so you could check phpinfo() for the setting "magic_quotes_gpc" to confirm whether this is the problem.
As for a solution, you could simply run stripslashes() on your input. Or you could change the value of magic_quotes_gpc with ini_set().