Testing query for SQL injection

Question

I have written a code in php which enables an admin to login. The password info is fetched from the table. I know it is not a good practice to write such kind of code and i should use prepared statement or mysqli_ but i just want to learn about sql query vulnerability. I just want to know how my code is vulnerable to SQL injection ? How can i bypass the password restriction. I tried inputting password = 'anything' OR 'x'='x' in the password field but it is not bypassing it. This is my code:-

if(isset($_POST["Submit"]))
{
include 'db_connect.php';   
$user=$_POST['user'];
$pass=$_POST['pass'];
$checkquery="select * from adminlogin where password='$pass' ";
$queryex= mysql_query($checkquery);
$row= mysql_fetch_array($queryex);
$checkcasepass = $row['password'];
if($user=='admin' && strcmp($checkcasepass,$pass)==0)
{
setcookie("admin",$user);
setcookie ("student", "", time() - 3600);
header("location: admin option.php");
}
else
{
echo  "Sorry User Name and Password is Wrong";
}
}

---

I changed my query string to this for testing purpose:-

$checkquery="select * from adminlogin where password='$pass' OR 1=1 ";

but it didn't work. Can it be due to magic quotes ? But I am using PHP 5.4.3 and magic quotes is already depreciated. I am wondering why SQL injection is not working. ?

Answer 1

The way you choose to test for injection is wrong.

This code allows an injection all right, but verification code does check not number of rows found but returned value.

But again, speaking of SQL injection - it is fine with this code, injected all right.

Answer 2

Change 'anything' OR 'x'='x' to anything' OR 'x'='x The leading ' and trailing ' are already there, in effect the query you are trying will look like

select * from adminlogin where password=''anything' OR 'x'='x''

which isn't valid SQL