php sql injection

Question

I have been surfing these days and got to know about SQL INJECTION ATTACK. i have tried to implement on my local machine to know how this can be done so that i can prevent it in my system...

i have written code like this

PHP Code :

if(count($_POST) > 0){

       $con = mysql_connect("localhost","root","") or die(mysql_error());
    mysql_select_db('acelera',$con) or die(mysql_error()); //
    echo $sql = 'SELECT * FROM acl_user WHERE user_email = "'.$_POST['email'].'" AND user_password = "'.$_POST['pass'].'"';
    $res_src = mysql_query($sql);
    while($row = mysql_fetch_array($res_src)){
        echo "<pre>";print_r($row);echo "</pre>";
    }
}

HTML CODE :

<html>
<head></head>
<body>

 EMAIL : <input type="text" name="email" id="email" /><br />
    PASWD : <input type="text" name="pass" id="pass" /><br />
    <input type="submit" name="btn_submit" value="submit email pass" />
        </body>
</html>

by this code if i give input as " OR ""=" then sql injection should get done. but it is not working properly. in post data i have addition slashes if i give above input in password field.

can any one show me how actually SQL INJECTION ATTACK can be done?(code will be more appreciable)

Answer 1

You probably have magic quotes enabled. Check the return value of get_magic_quotes_gpc.

"Magic quotes" is an antique attempt from PHP to auto-magically prevent SQL injection, but in current versions it has been deprecated and you are encouraged to use prepared statements to avoid SQL injection.

See here how to disable them so you can experiment with SQL injection.