From bf3c141f3c318b45b1f43d962623587ac26a92a2 Mon Sep 17 00:00:00 2001
From: Marcin Zelent <zelent.marcin@gmail.com>
Date: Wed, 30 May 2018 16:53:50 +0200
Subject: Added SQL injection example

---
 sql-injection/index.html |  25 ++++++++++++++++
 sql-injection/login.php  |  23 ++++++++++++++
 sql-injection/users.db   | Bin 0 -> 8192 bytes
 synopsis.tex             |  76 +++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 124 insertions(+)
 create mode 100644 sql-injection/index.html
 create mode 100644 sql-injection/login.php
 create mode 100644 sql-injection/users.db

diff --git a/sql-injection/index.html b/sql-injection/index.html
new file mode 100644
index 0000000..d3e760b
--- /dev/null
+++ b/sql-injection/index.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+	<head>
+		<title>Login page</title>
+		<meta charset="utf-8" />
+<style>
+body {
+	text-align: center;
+}
+
+input {
+	margin-bottom: 5px;
+}
+
+</style>
+	</head>
+	<body>
+		<h1>Login</h1>
+		<form action="login.php" method="post">
+			<input type="text" name="email" placeholder="E-mail"><br>
+			<input type="password" name="pass" placeholder="Password"><br>
+			<input type="submit" value="Log in">
+		</form>
+	</body>
+</html>
diff --git a/sql-injection/login.php b/sql-injection/login.php
new file mode 100644
index 0000000..826c38c
--- /dev/null
+++ b/sql-injection/login.php
@@ -0,0 +1,23 @@
+<?php
+   class MyDB extends SQLite3 {
+      function __construct() {
+         $this->open('users.db');
+      }
+   }
+
+   if(isset($_POST['email'], $_POST['pass']))
+   {
+	$email = $_POST['email'];
+	$pass = $_POST['pass'];
+
+	$db = new MyDB();
+
+	$sql = 'SELECT * FROM Users WHERE email=\''.$email.'\' AND password=\''.$pass.'\'';
+
+	$ret = $db->query($sql);
+	while($row = $ret->fetchArray(SQLITE3_ASSOC)) {
+		echo 'Logged in as '.$row['email'].'<br>';
+	}
+	$db->close();
+   }
+?>
diff --git a/sql-injection/users.db b/sql-injection/users.db
new file mode 100644
index 0000000..9ddf64e
Binary files /dev/null and b/sql-injection/users.db differ
diff --git a/synopsis.tex b/synopsis.tex
index 0f86212..0c8a520 100644
--- a/synopsis.tex
+++ b/synopsis.tex
@@ -607,4 +607,80 @@ continue studying it in the future.
 \printbibliography
 \addcontentsline{toc}{section}{References}
 
+\newpage
+
+\appendix
+\section{SQL injection example}
+
+\subsection{HTML code}
+\begin{minted}{html}
+<!DOCTYPE HTML>
+<html>
+	<head>
+		<title>Login page</title>
+		<meta charset="utf-8" />
+<style>
+body {
+	text-align: center;
+}
+
+input {
+	margin-bottom: 5px;
+}
+
+</style>
+	</head>
+	<body>
+		<h1>Login</h1>
+		<form action="login.php" method="post">
+			<input type="text" name="email" placeholder="E-mail"><br>
+			<input type="password" name="pass" placeholder="Password"><br>
+			<input type="submit" value="Log in">
+		</form>
+	</body>
+</html>
+\end{minted}
+\newpage
+
+\subsection{PHP code}
+\begin{minted}{php}
+<?php
+   class MyDB extends SQLite3 {
+      function __construct() {
+         $this->open('users.db');
+      }
+   }
+
+   if(isset($_POST['email'], $_POST['pass']))
+   {
+	$email = $_POST['email'];
+	$pass = $_POST['pass'];
+
+	$db = new MyDB();
+
+	$sql = 'SELECT * FROM Users WHERE email=\''.$email.
+    '\' AND password=\''.$pass.'\'';
+
+	$ret = $db->query($sql);
+	while($row = $ret->fetchArray(SQLITE3_ASSOC)) {
+		echo 'Logged in as '.$row['email'].'<br>';
+	}
+	$db->close();
+   }
+?>
+\end{minted}
+\newpage
+
+\subsection{SQL code}
+\begin{minted}{sql}
+CREATE TABLE Users (
+	email varchar(32),
+	password varchar(32)
+);
+
+INSERT INTO Users VALUES('test@mail.com','password');
+INSERT INTO Users VALUES('marcin@mail.com','pass');
+\end{minted}
+\newpage
+
 \end{document}
-- 
cgit v1.2.3