-4

For training purposes, I want to make a demo website vulnerable to SQL injection. I went to the .htaccess file in the server and added these 2 lines:

php_flag magic_quotes_gpc Off
php_flag register_globals on

SQL injection that performed by manipulating the input fields worked well. However, there is a type of SQL injection attack in which the attacker tries to play with the variables sent in the URL to infer information about the data base. The latter is not working with me.

If there is anything else that I must do to enable the SQL injection in my website, please, help me.

user2192774
  • 305
  • 4
  • 8
  • 1
    Isn't better to just find many of that purposely vulnerable sites out there to play? I wouldn't put this website on internet too or someone can sudden take control over your server without you notice – Freedo Apr 24 '15 at 18:50
  • 8
    Download the `Damn Vulnerable Web App` and have fun. It's properly misconfigured for you. – ThoriumBR Apr 24 '15 at 19:04
  • It would be helpful if you added more context to your question (otherwise it's a duplicate of the more general "what's SQL injection" question). What is your code? You say one attack worked: What does that attack look like? And what does the attack look like which doesn't work? – tim Apr 25 '15 at 07:18

1 Answers1

-3

It's a problem of web page design/implementation. If it's bad designed (composing SQL statements on the fly mixing them with written literals) SQL injection issue exists. If it's well designed there is no way to do that attack.