I know the basics of SQL Injection and how to avoid it. I know my code is vulnerable, but I'm trying to inject SQL and it is not working. This is about knowing HOW it is vulnerable, because in practice, I cannot do it.
This is the code:
$email = filter_input(INPUT_GET, 'email');
if ($email != '') {
try {
$stm1 = $db->query("SELECT * from clients WHERE email = '$email'");
$result = $stm1->fetchAll();
} catch (Exception $ex) {
echo $ex->getMessage();
}
}
I'm trying to inject via this input
<input id="textinput" name="email" type="text">
and I'm using codes like:
'; UPDATE clients set status = 0 WHERE client_id = 1
Note that this is a valid SQL Query.
My real questions are:
First, $email = filter_input(INPUT_GET, 'email'); does nothing it's the same as $email = filter_input(INPUT_GET, 'email', FILTER_DEFAULT);, and FILTER_DEFAULT is documented as "do nothing".
Second, PDO's Query function does appear to support multiple statements (albeit in a rather annoying to use manner, and I can't say I've personally played with it). PHP PDO multiple select query consistently dropping last rowset
Third, even without multiple statement support, $email could be populated with something like nobody@example.com' OR username='admin to return data you didn't plan on returning to the user.
Fundamentally: stop worrying about whether bad code is exploitable, and start writing good code instead. Start using properly prepared statements and don't worry about injection anymore.