PHP MySQL Injections

0

Good evening, everyone. In the context of exploiting the vulnerabilities of my code I decided to test a MySQL injection, first to escape the strings and right now without escaping them ... They do not seem to be working!

Here's my query :

public function e ($var)
{
  $escaped_info  = mysqli_real_escape_string($this->mysqli, $var);
  return htmlspecialchars($escaped_info, ENT_QUOTES, 'UTF-8');
} 

public function selectionQueryLike($table, $id, $column)
{
  if(!empty($table) || !empty($id) || !empty($column))
  {
    $sql = "SELECT * FROM $table WHERE $column LIKE '%{$id}%'";
    return $this->mysqli->query($sql);
  }
}

And here I am calling the method:

<?php
  if(isset($_POST['st_process']) === true && empty($_POST['st_process']) === false){
    include("../Query-core.php");
    include('../db.php');

    $authentication = new DBRequest($host = 'localhost',
                                    $user = 'root',
                                    $pass = '',
                                    $db = 'contas');

    $selectedstudents = $authentication->selectionQueryLike("alunos", $_POST['st_process'], "student_process");

    if(mysqli_num_rows($selectedstudents) > 0){
      echo "<table><tr><th>Nome</th><th>NºProcesso</th><th>ID</th></tr>";

      while($row =  $selectedstudents->fetch_assoc()){
        echo "<tr>";
        echo "<td><a href='#'>" . $row["student_name"] . "</a></td>";
        echo "<td>" . $row["student_process"] . "</td>";
        echo "<td>" . $row["student_ID"] . "</td>";
        echo "</tr>";
      }
      echo "</table>";
    }   
  }
?>

Print screen:

IfIunderstandcorrectlymyqueryshouldbevalidandlooklikethis:

Select*FROMalunosWHEREstudent_process='%';--"

    
asked by anonymous 07.12.2017 / 00:18

0 answers