I am a software developer converting do application security and I have some doubts about SQL injection example.
I am following a tutorial related the famous DVWA: http://www.dvwa.co.uk/
So I have the following doubt (probably pretty trivial).
I have this PHP code defining the query and the code to perform it:
<?php if( isset( $ _GET[ 'Submit' ] ) ) { // Get input $ id = $ _GET[ 'id' ]; // Check database $ getid = "SELECT first_name, last_name FROM users WHERE user_id = '$ id';"; $ result = mysqli_query($ GLOBALS["___mysqli_ston"], $ getid ); // Removed 'or die' to suppress mysql errors // Get results $ num = @mysqli_num_rows( $ result ); // The '@' character suppresses errors if( $ num > 0 ) { // Feedback for end user $ html .= '<pre>User ID exists in the database.</pre>'; } else { // User wasn't found, so the page wasn't! header( $ _SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); // Feedback for end user $ html .= '<pre>User ID is MISSING from the database.</pre>'; } ((is_null($ ___mysqli_res = mysqli_close($ GLOBALS["___mysqli_ston"]))) ? false : $ ___mysqli_res); } ?>
As you can see the query is definied as string concatenation:
$ getid = "SELECT first_name, last_name FROM users WHERE user_id = '$ id';";
So I can inject what I want into the $ id variable and perform extra SQL code as:
$ id = 1 OR 1=1
that will be always true. Ok this is clear.
My doubt is different:
Inserting a valid value (such as 1) into the form) I obtain this URL: http://localhost/DVWA-master/vulnerabilities/sqli_blind/?id=1&Submit=Submit#
The query is performed correctly and I am obtaining the following message result: User ID exists in the database.
If I try to insert a totally wrong ID in the form, for example “ABC” I am obtaining the following message error: User ID is MISSING from the database.. Ok, and this is ok
But if I try to insert a “wrong” value such as 1′ in the form, the following URL is generated: http://localhost/DVWA-master/vulnerabilities/sqli_blind/?id=1%27&Submit=Submit#
And I obtain a valid message: User ID is MISSING from the database.
So it seems that the query was correctly executed searching for the user with ID=1.
Why the ‘ char is not brocking the query? I was thinking that it have to search a user with ID=1′ that is not existing in the database (as the case of ID=ABC).
Why? What am I missing? Probably it is a trivial question but I want to understand it in deep