Hello everyone,

I have just been experimenting a bit with PHP Sessions and User Authentication using Sessions and when it all worked, I wanted to soo if my scripts were vulnerable to SQL Injection. I tried every way and example there is on the web to exploit SQL Injection and none of them seems to work on my server (Yes, I know that's a good thing). But I just don't understand why it doesn't work. I have done no input validation of any kind and I still I can'ts eem to get SQL Injection to work.

Does anyone have an idea how this could be ?

Extra info :
I have a page called login.php first resets the $_SESSION['user'] variable then displays a form where you can input user and pass and sends it to protected.php. On protected.php, a file auth.inc.php is included which first checks if there is a $_SESSION['user'] variable, if there isn't, it checks if there is a $_POST['user'] variable, if there isn't, it returns to the login.php page. If there is, it queries a MySQL Database to see if there are any rows with the user/pass combination. If there is, it does nothing (thus, displaying the protected.php page), if there isn't, it returns to the login.php page.

To query the database I first put the user and pass in a variable :
$user=$_POST['user'];
$user=$_POST['pass'];
and the query looks something like this :
$mquery="SELECT * FROM `members` WHERE `User`='$user' AND `Pass`='pass'";

Regards,
Axel Fox.

the reason might be that magic_quotes is on. check phpinfo()
that means those chars get escaped:
'
"
NUL byte (%00)
then you are not able to break out of your sql statement to insert your own information.

Nope, magic_quotes_gpc is off, as ara all magic_quotes_* thingies.

I just discovered something that explained why my SQL Injection attacks didn't work. My scripts are vulnerable to SQL Injection, but apparently, the MySQL server doens't end the query on -- and since I never opened the single quote again, the query has an uneven number of single quotes which resulted in a MySQL Error. It doesn't display this error, but since there are now rows found matching the username/password combination, I am redirected to the login.php page.