I will make this short and go straight to the point.

I am testing SQLI Login bypass on a PHP Code I have made below.

if(isset($_POST["login"]) && isset($_POST["password"])){


$sql="select * from users where login='{$_POST["login"]}' and password='{$_POST["password"]}'";


$result=mysqli_query($conn, $sql);


if(mysqli_num_rows($result) != 0)
    echo "<h1>Login Success!</h1>";


else
    echo "<h1>Invalid Login!</h1>";


} 

I am using admin' -- as the login field in order to successfully bypass login without entering a password.

But the problem is it doesn't work but when I tried using this admin' -- ' -- instead it works.

So question is how and why does that particular cheat sheet works instead but not the first one?

This admin' -- ' -- works but not this admin' --

These are the server-side code when I enter these 2 cheat sheets.

The bypass that doesn't work.

$sql="select * from users where login='admin' --' and password='{$_POST["password"]}'"; 

The bypass that works.

$sql="select * from users where login='admin' -- ' --' and password='{$_POST["password"]}'"; 

Just need some clarification or explanation on how and why the 1st cheat sheet doesn't work but the 2nd one works. Thank you!

1 Answers

-1
K. P. On

You have some real syntax errors in your code:

First: don't do something like this: $sql="select * from users where login='{$_POST["login"]}' and password='{$_POST["password"]}'";

The correct way is to create a variable that is equals to the value of login and password. Example:

$login=$_POST['login'];
$password=$_POST['password'];

After this, your query should look like this:

$sql="select * from users where login='$login' and password='$password'";