I'm testing my mysql codes vulnerability.
This is the php injection:
$myvar = "varname";
$x = $_GET['arg'];
eval("\$myvar = \$x;");
Or any other php code, like blow:
<?php mysqli_close($conn); ?>
My purpose is to insert them into DB but don't execute them.
Actualy these codes are gonna inserted into DB from an html input form by a user and I wan to display them for the user.(sth like messaging)
Problem:
The problem is that when I try to insert them into DB it fails, my insert query is this:
mysqli_query($conn,"INSERT INTO table (usr,id,message,date) VALUES ($usr,'$id','$message','$date')");
The codes are in $message
.
I also should add this validation function:
function validate($data)
{
stripslashes($data);
htmlspecialchars($data);
htmlentities($data);
strip_tags($data);
addslashes($data);
return($data);
}
Before inserting $message
into DB I have validated it by this function validate($message)
but even this can't fix the problem.
I have searched but there's no results for this question in google!
Any one knows how to insert codes into mysql database?