sql time

SUBMITTED BY: leakage

DATE: Nov. 29, 2015, 3:25 a.m.

FORMAT: Text only

SIZE: 3.8 kB

Raw Download

HITS: 47232

Report
  1. <?php include("../includes/header.inc"); ?>
  3. <div class="col">
  4. <h2>Budget Listing</h2>
  7. <?php
  8. $search = "";
  9. if (isset($_POST["search"]))
  10. $search = $_POST["search"];
  11. ?>
  13. <form method="post">
  14. Enter your budget (no decimals - ex: 50) : <input type="text" name="search" size="40" value="<?php echo htmlentities($search); ?>" />
  15. <input type="submit" name="submit" value="Go!" />
  16. </form><br /><br />
  19. <?php
  20. // Define vars.
  21. $conn = @mysql_connect(DB_SERVER, DB_USER, DB_PWD);
  22. $query = "SELECT id, name, description, (SELECT MAX(price) FROM products WHERE price <= $search AND ".
  23. "categories.id = category) AS maxamount FROM categories HAVING maxamount IS NOT NULL";
  25. // Connection is OK.
  26. if ($conn)
  27. {
  28. // Table head.
  29. echo '<table class="listTable" cellspacing="0" cellpadding="0">';
  30. echo '<tr>';
  31. echo '<td class="listHead">Category</td>';
  32. echo '<td class="listHead">Best item price</td>';
  33. echo '</tr>';
  35. if ($search == "")
  36. {
  37. echo '<tr>';
  38. echo '<td colspan="2" class="listRow" style="text-align:center;"><i>Enter something in the search box</i></td>';
  39. echo '</tr>';
  40. $query = "<i>No query was executed because search is empty.</i>";
  41. }
  42. // Execute query.
  43. else
  44. {
  45. @mysql_select_db(DB_NAME);
  46. $result = @mysql_query($query);
  48. if (@mysql_num_rows($result)==0)
  49. {
  50. echo '<tr>';
  51. echo '<td colspan="2" class="listRow" style="text-align:center;"><i>No product match - Try with a higher budget.</i></td>';
  52. echo '</tr>';
  53. }
  54. else
  55. {
  56. // Listing data in table.
  57. while ($row = @mysql_fetch_array($result))
  58. {
  59. echo '<tr>';
  60. echo '<td class="listRow">'.$row[1].'</td>';
  61. echo '<td class="listRow">'.$row[3].'</td>';
  62. echo '</tr>';
  63. }
  64. }
  65. }
  66. echo '</table>';
  67. }
  69. // Show debug boxes (MySQL error and Query generated).
  70. include("../includes/debug.inc");
  71. ?>
  72. </div>
  74. <div class="col last">
  75. <h3>Context</h3>
  76. <div class="case">
  77. <p><font class="caseTitle">Page purpose</font><br />
  78. This page allows the customer to do a budget search. The listing on the left should be read as follows :
  79. &quot;The best item you can buy under [budget entered in textbox] costs [price]&quot;.</p>
  80. </div>
  81. <div class="case">
  82. <p><font class="caseTitle">Goal</font><br />
  83. Try to find out what is the structure of the query and then list all the products of the database.
  84. Then you could try to recover data from other tables (complete SQL injection attack).</p>
  85. </div>
  86. <div class="lastcase">
  87. <p><font class="caseTitle">Parameter</font><br />
  88. The parameter for the SQL injection is given by the search field and it is transfered to the PHP script through
  89. &quot;POST&quot; method. You can try to enter &quot;RAM&quot; in the search field. This will generate a query
  90. that returns results.
  91. </div>
  92. </div>
  93. <div class="divclear"></div>
  97. <?php include("../includes/footer.inc"); ?>
comments powered by Disqus