I'm testing my mysql codes vulnerability.
This is the php injection:
$myvar = "varname";
$x = $_GET['arg'];
eval("\$myvar = \$x;");
Or any other php code, like blow:
<?php mysqli_close($conn); ?>
My purpose is to insert them into DB but don't execute them.
Actualy these codes are gonna inserted into DB from an html input form by a user and I wan to display them for the user.(sth like messaging)
Problem:
The problem is that when I try to insert them into DB it fails, my insert query is this:
mysqli_query($conn,"INSERT INTO table (usr,id,message,date) VALUES ($usr,'$id','$message','$date')");
The codes are in $message.
I also should add this validation function:
function validate($data)
{
stripslashes($data);
htmlspecialchars($data);
htmlentities($data);
strip_tags($data);
addslashes($data);
return($data);
}
Before inserting $message into DB I have validated it by this function validate($message) but even this can't fix the problem.
Escape your input data with a real_escape_string function: http://php.net/manual/en/mysqli.real-escape-string.php
Now you can safely create a legal SQL string that you can use in an SQL statement.
To insert code php in database, following this options : 1. To insert data, use htmlspecialchars. example :
$string = '<?php echo "Hello world"; ?>';
htmlspecialchars($string);
Before read/get data, use htmlspecialchars_decode. Example : htmlspecialchars_decode($string);
Hope this maybe can help you :-)