How to make my PHP website vulnerable to SQL injection

Question

For training purposes, I want to make a demo website vulnerable to SQL injection. I went to the .htaccess file in the server and added these 2 lines:

php_flag magic_quotes_gpc Off
php_flag register_globals on

SQL injection that performed by manipulating the input fields worked well. However, there is a type of SQL injection attack in which the attacker tries to play with the variables sent in the URL to infer information about the data base. The latter is not working with me.

If there is anything else that I must do to enable the SQL injection in my website, please, help me.

Isn't better to just find many of that purposely vulnerable sites out there to play? I wouldn't put this website on internet too or someone can sudden take control over your server without you notice — Freedo, Apr 24 '15 at 18:50
Download the `Damn Vulnerable Web App` and have fun. It's properly misconfigured for you. — ThoriumBR, Apr 24 '15 at 19:04
It would be helpful if you added more context to your question (otherwise it's a duplicate of the more general "what's SQL injection" question). What is your code? You say one attack worked: What does that attack look like? And what does the attack look like which doesn't work? — tim, Apr 25 '15 at 07:18

score -3 · Answer 1 · answered Apr 24 '15 at 20:56

-3

It's a problem of web page design/implementation. If it's bad designed (composing SQL statements on the fly mixing them with written literals) SQL injection issue exists. If it's well designed there is no way to do that attack.

answered Apr 24 '15 at 20:56

Manuel Lucas

7
1

1

This is not really an answer. – schroeder Apr 24 '15 at 23:07
1

Then you don't know what SQL inyection is. – Manuel Lucas Apr 25 '15 at 19:04
It is not an answer because the question is how to make your web application vulnerable to SQL injections, not what it is. – Kevin Jan 02 '19 at 13:41

How to make my PHP website vulnerable to SQL injection

1 Answers1