How to SQL inject in PHP login page?

Question

This is for my school project. Currently I have made a login form and a login process code. When people want to login, they require the email, username and password to login. One of the criteria for my project is to SQL injections on it. I tried typing `OR 1=1 -- into all the fields of the login page but I am unable to pass through the login page.

This is my login page code

?php include('server.php') ?>
<!DOCTYPE html>
<html>
<head>
  <title>Registration system PHP and MySQL</title>
</head>
<body>
  <div class="header">
    <h2>Login</h2>
  </div>

  <form method="post" action="login.php">
    <?php include('errors.php'); ?>
    <div class="input-group">
        <label>Username</label>
        <input type="text" name="username" value="<?php if(isset($_COOKIE["username"])) echo $_COOKIE["username"]; ?>"/>
    </div>

        <?php include('errors.php'); ?>
    <div class="input-group">
        <label>Username</label>
        <input type="text" name="email" value="<?php if(isset($_COOKIE["email"])) echo $_COOKIE["email"]; ?>"/>
    </div>

    <div class="input-group">
        <label>Password</label>
        <input type="password" name="password">
    </div>
    <div class="input-group">
        <button type="submit" class="btn" name="login_user">Login</button>
    </div>
    <p>
        Not yet a member? <a href="register.php">Sign up</a>
    </p>


  </form>
</body>
</html>

<?php
$UserId= $_REQUEST['UserId'];
$email= $_REQUEST['email'];
setcookie($UserId, $email, time() + (86400 * 30 ), "/");

This is my login process code.

<?php
session_start();

// initializing variables
$username = "";
$email    = "";
$errors = array(); 

// connect to the database
$db = mysqli_connect('localhost', 'root', '', 'for security reasons');

if (isset($_POST['login_user'])) {
  $username = mysqli_real_escape_string($db, $_POST['username']);
  $email = mysqli_real_escape_string($db, $_POST['email']);
  $password = mysqli_real_escape_string($db, $_POST['password']);


  if (empty($username)) {
    array_push($errors, "Username is required");
  }
  if (empty($email)) {
    array_push($errors, "Email is required");
  }
  if (empty($password)) {
    array_push($errors, "Password is required");
  }

  if (count($errors) == 0) {
    $password = md5($password);
    $query = "SELECT * FROM users WHERE username='$username' AND email='$email' AND password='$password'";
    $results = mysqli_query($db, $query);
    if (mysqli_num_rows($results) == 1) {
      $_SESSION['username'] = $username;
      $_SESSION['success'] = "You are now logged in";
      header('location: index.php');
    }else {
        array_push($errors, "Wrong username/password combination");
    }
  }
}

?>

What should I type in the username, email and password fields so I can bypass the page?

You used mysqli_real_escape_string, so, you can't bypass the page with SQL inject in these fields. — Thos-Host, Feb 09 '20 at 14:33
If I replace mysqli with mysql, will be able to bypass the page with SQL inject? — Coolkeed, Feb 09 '20 at 14:42

How to SQL inject in PHP login page?

0 Answers0