When I try to test how SQL injection works in my login page and my code is:
public function login() {
$db = new Database();
//---------------------------------------------------------------- --------------------------------
$p = $this->getPhone();
$pa = $this->getPassword();
//--------------------------------------------------------------------------------------------------------------------------------
// $sql = "SELECT * FROM dbo.Account WHERE phone = ? and password = ?";
//----------------------------------------------------------------------------------------------------
$sql = "SELECT * FROM dbo.Account WHERE phone = $p and password = $pa";
//----------------------------------------------------------------------------------------------------
// Use an array to pass parameters in the correct order
// $params = array($this->phone, $this->password);
// var_dump($sql);
//----------------------------------------------------------------------------------------------------
// $result = $db->query($sql,$params);
//--------------------------------------------------------------------------------------------------
$result = $db->query($sql);
// var_dump($result);
if ($result) {
// Check if there is a matching user
if ($result > 0) {
return true;
It
} else {
// Incorrect phone or password
return false;
}
} else {
// Error in the query
// You might want to log the error or handle it appropriately
return false;
}
}
So i met this ERROR when run by PHP with XAMPP:
Array ( [0] => Array ( [0] => 42000 [SQLSTATE] => 42000 [1] => 102 [code] => 102 [2] => [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Incorrect syntax near ‘&’. [message] => [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Incorrect syntax near ‘&’. ) )
How can i fix this?
I tried to fix it but this wasn’t working