So I'm trying to design a very simple and vulnerable website to demo how an SQL injection works, but when I attempt an injection with
');SELECT * FROM users;--
I get an error message stating:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SELECT * FROM users;--')' at line 1
Source code is as follows :
welcome1.html:
<form action="test.php" method="get">
<div><label for="firstname">First name:
<input type="text" name="firstname" id="firstname"/></label>
</div>
<div><label for="lastname">Last name:
<input type="text" name="lastname" id="lastname"/></label></div>
<div><label for="email">E-mail :
<input type="text" name="email" id="email"/></label></div>
<div><label for="password">password:
<input type="text" name="password" id="password"/></label></div>
<div><input type="submit" value="GO"/></div>
</form>test.php:
<html>
<body>
<?php
$con = @mysql_connect("localhost","root","");
if (!$con)
{
die('Could not connect ' . mysql_error());
}
mysql_select_db("accounts", $con);
$firstname = $_GET['firstname'];
$lastname = $_GET['lastname'];
$email = $_GET['email'];
$password = $_GET['password'];
$sql="INSERT INTO users(firstname, lastname, email, password)
VALUES
('$firstname','$lastname','$email','$password')";
if(!mysql_query("INSERT INTO users(firstname, lastname, email, password) VALUES ('$firstname','$lastname','$email','$password')"))
{
die('Error: ' . mysql_error());
}
echo "1 record added";
mysql_close($con)
?>
</body>
</html>running on WAMP server 3.0.6 on win10 I'm a noob when it comes to html/php if it wasn't obvious thanks
</div>
