SQL Injection sample PHP

Linux Security: SQL Injection sample PHP

SQL Injection 実現のための簡単なサンプル PHP。
前提としては MySQL で、別途記載の sec03_users テーブルが必要。

<html>
<body>
<h2>User table</h2>
<?php
if( $_POST == NULL ) {
# 初期問合せ画面
	print<<<EOD
<form action=sec03.php method=post>
<table border=1>
<tr><td>Your Account :</td><td><input type=text name=name></tr>
<tr><td>Password     :</td><td><input type=password name=pass></tr>
</table>
<p>
<input type=submit value="Query">
</form>
* Sample data,  student/himitu
EOD;
} else {
# 問合せ結果画面
	$sql = "SELECT * FROM sec03_users WHERE ";
	$sql.= sprintf("sec03_name='%s' AND sec03_pass='%s';",
		$_POST['name'], $_POST['pass'] );
	send_sql($sql,$ret);
	print<<<EOD
<table border=1>
<tr><th>User</th><th>Sei</th><th>Mei</th><th>Description</th><th>Tel</th><th>Addr</th></tr>
EOD;
	foreach( $ret as $line ) {
		print("<tr>");
		printf("<td>%s</th>", $line['sec03_name']);
		printf("<td>%s</th>", $line['sec03_sei']);
		printf("<td>%s</th>", $line['sec03_mei']);
		printf("<td>%s</th>", $line['sec03_desc']);
		printf("<td>%s</th>", $line['sec03_tel']);
		printf("<td>%s %s</th>",
			$line['sec03_addr1'], $line['sec03_addr2']);
		print("</tr>");
	}
	print("</table>");
}

# MySQL 汎用問合せ処理
function send_sql( $sql, &$ret )
{
$db_host = 'localhost';
$db_user = 'dbuser';
$db_pass = 'dbpassword';
$db_name = 'db';

	$conn = mysql_connect( $db_host, $db_user, $db_pass )
		or die(mysql_error());
	mysql_query("SET NAMES utf8;", $conn);
	mysql_select_db($db_name) or die(mysql_error());

	$res = mysql_query($sql) or die(mysql_error());
	while ($row = @mysql_fetch_array($res, MYSQL_ASSOC)) {
		$ret[] = $row;
	}
	unset($row);

	@mysql_free_result($res);
	@mysql_close($conn) or die (mysql_error());

	unset($res);
	unset($conn);

	return;
}
?>
</body>
</html>