หน้าเว็บ

วันอังคารที่ 13 ธันวาคม พ.ศ. 2559

SQL Injection vulnerabilities in Thaicreate PHP questions


          สืบเนื่องจาก SQL injections vulnerabilities in Stack Overflow PHP questions มีคนเขียนเว็บไปดึงข้อมูลจากเว็บ Stack Overflow เพื่อหาว่า คนตั้งคำถามที่เกี่ยวกับ PHP มีการวางโค้ดที่มีช่องโหว่ SQL Injection เยอะแค่ไหน โดยเก็บเป็นสถิติสวยงาม ผมจึงมีไอเดียที่อยากจะลองทำแบบเดียวกันนี้กับเว็บไซต์ที่มีการถามตอบคำถามที่เกี่ยวกับ PHP ในประเทศไทยบ้าง ซึ่งที่นึกได้ก็มีอยู่เว็บไซต์หนึ่งที่น่าจะเป็นชุมชนที่ใหญ่ในประเทศไทยที่มีการถามตอบเรื่องที่เกี่ยวกับการเขียนโปรแกรมหลากหลายภาษาหนึ่งในนั้นก็รวมถึง PHP ที่เป็นเป้าหมายอยู่ด้วย ผมจึงเขียนสคริป Python ง่ายๆ ไปดึงข้อมูลจากเว็บ Thaicreate.com ห้อง PHP เพื่อหาว่าคนถามตอบปัญหาที่เกี่ยวกับ PHP นั้นมีการวางโค้ดที่มีช่องโหว่ SQL Injection ที่นำ User input ไปต่อกับ SQL Query Statement โดยไม่มีการตรวจสอบอยู่เยอะแค่ไหน โดยเลือกเพียง 30 หน้าล่าสุดจากทั้งหมด โดยผมใช้ Regular expression จาก SQL injections vulnerabilities in Stack Overflow PHP questions และได้ทำการปรับแต่งเพิ่มเติมในส่วนของการตรวจสอบ SQL Injection อีกนิดหน่อยครับ


ผลลัพธ์ที่ได้คือจาก 30 หน้าล่าสุดพบการถามตอบปัญหาที่โค้ดมีช่องโหว่ SQL Injection ประมาณ 220+ กระทู้

$result=$mysqli->query("SELECT * FROM `users` WHERE `id` = '$_POST[id]'");  
$strSQL = "SELECT * FROM project2 WHERE namepro = '".$_GET["item"]."'";  
$strSQL = "SELECT *,SUM(money) as tomoney FROM donate WHERE namepro = '".$_GET["item"]."'";  
$sql_statement = "INSERT INTO revenueother( dateother, typeother, moneyother, paybyother) VALUES ('" .$_POST["dateo"] . "', '" .$_POST["typeo"] . "', '" .$_POST["moneyo"] . "', '" .$_POST["paybyo"] . "')";  
$pay_ot = "SELECT job.ser_id,job.tech_id,service.ser_id,service.sertype_id,ser_date FROM job,service,service_type WHERE service.ser_id=job.ser_id and service_type.sertype_id=service.sertype_id  AND ser_date BETWEEN '$strStartDate' and '$strEndDate' and job.tech_id = '".$_GET["tech_id"]."'";  
//$q="SELECT * FROM tbl_event WHERE date(event_start)>='".$_GET['start']."'  ";  
$strSQL = "INSERT INTO user_addcomment (src, dst, date_on , src_station , time_on , car_no , comment , name , tel , email , other) VALUES ('".$_POST["src"]."','".$_POST["dst"]."','".$_POST["date_on"]."', '".$_POST["src_station"]."','".$_POST["time_on"]."','".$_POST["car_no"]."','".$_POST["comment"]."','".$_POST["name"]."','".$_POST["tel"]."','".$_POST["email"]."','".$_POST["other"]."')";  
$query = sprintf('select * from orders where orders_id=%s',s($con,$_GET['rid']));  
$query3 = sprintf('update product set pro_amount="%s" where pro_no="%s" ',s($con,$_POST['amts']),s($con,$_POST['id_edit']));  
$strSQL =  "SELECT * FROM user WHERE user_id = ".$_GET["uID"];  
$sql="select * from set_table  where  term_ids='".$_GET[term_ids]."' ";  
$sql="INSERT INTO `time_table` (`tb_id`, `tb_subject`, `tb_time`, `tb_time_min`, `tb_time_max`, `tb_col`, `tb_week`, `tb_date`, `tb_setting`, `term_ids`) VALUES (NULL, '".$_POST[subject]."', '".$ex[1]."', '".$ex1[1]."', '".$ex_time_max."', '".$_POST[cols_table]."', '".$ex[0]."', '', '0', '".$_POST[set_term]."');";  
$rs_cg = mysql_query('SELECT forum_name,forum_id FROM forum WHERE forum_id=' . $_GET['id']); //นั  
mysql_query('UPDATE board SET board_views=board_views+1 WHERE board_id=' . $_GET['id']); //Update จำนวนผู้เข้าชมของกระทู้นั้น  
$rs_cg = mysql_query('SELECT forum_name,forum_id FROM forum WHERE forum_id=' . $_GET['id']);  
$strSQL = "SELECT * FROM yeumkuendata WHERE userid = '".$_GET["userid"]."' AND statusyk = 'ยังไม่คืน' ";  
$strSQL2 = "SELECT permission FROM memberdata WHERE userid = '".$_GET["userid"]."'";  
$strSQL = "SELECT * FROM tbreserv WHERE ReservID = '".$_GET["ID"]."' ";  
$strSQLlogin = "SELECT * FROM admin WHERE user = '".trim($_POST['username'])."'  
$strSQLlogin = "SELECT * FROM personal WHERE p_card = '".trim($_POST['username'])."'  
$sql = "select * From send Where 1 and DAY(date_send)='".$_GET["dd"]."' and MONTH(date_send)='".$_GET["mm"]."' and status_s='yes' ORDER BY sendNo DESC";  
$sql="SELECT * FROM  tbl_language WHERE id='".$_GET['id']."'";  
$query = "update tbl_language set name='".$_GET['languages']."' where id='".$_GET['id']."';  
1. $sql="SELECT * FROM  tbl_language WHERE id='".$_GET['id']."'"; การ where ที่ id เดาว่าผลลัพธ์ มันน่าจะมีค่าเดียว หรือมันได้กี่ค่า ตอบตัวเองครับ  
$strSQL = "SELECT * FROM customer WHERE CustomerID = '".$_GET["CusID"]."' ";  
$sql="insert into on_off(on1,off1) values(".$_POST["on1"].",".$_POST["off1"].")";  
$strSQL = "SELECT * FROM memberdata WHERE MONTH(memregisday) BETWEEN '".$_GET['txtKeyword2']."' and '".$_GET['txtKeyword3']."' AND YEAR(memregisday) = '".$_GET['txtKeyword4']."' and status = 'USER' ";  
$strSQL2 = "SELECT * FROM bookdata WHERE MONTH(bookregisday) BETWEEN '".$_GET['txtKeyword2']."' and '".$_GET['txtKeyword3']."' AND YEAR(bookregisday) = '".$_GET['txtKeyword4']."'  ";  
$strSQL3 = "SELECT * FROM yeumkuendata WHERE MONTH(dateborrow) BETWEEN '".$_GET['txtKeyword2']."' and '".$_GET['txtKeyword3']."' AND YEAR(dateborrow) = '".$_GET['txtKeyword4']."'  ";  
$strSQL = "SELECT * FROM memberdata WHERE (memberdata LIKE '%".$_GET["txtKeyword"]."%' or numberid LIKE '%".$_GET["txtKeyword"]."%' )  ";  
$strSQL2 = "SELECT * FROM bookdata WHERE (bookdata LIKE '%".$_GET["txtKeyword"]."%' or numberid LIKE '%".$_GET["txtKeyword"]."%' )  ";  
$strSQL3 = "SELECT * FROM yeumkuendata WHERE (yeumkuendata LIKE '%".$_GET["txtKeyword"]."%' or numberid LIKE '%".$_GET["txtKeyword"]."%' )  ";  
$strSQL = "SELECT * FROM memberdata WHERE MONTH(memregisday) BETWEEN '".$_GET['txtKeyword2']."' and '".$_GET['txtKeyword3']."' AND YEAR(memregisday) = '".$_GET['txtKeyword4']."'  ";  
$strSQL = "INSERT INTO repost (strdate,enddate,room,name,tel) VALUES ('".$_POST["date1"]."', '".$_POST["date2"]."','".$_POST["txtRoom"]."','".$_POST["txtName"]."' ,'".$_POST["tel"]."' )";  
$query = "SELECT * FROM test WHERE tags LIKE '%$_GET[value]%' order by id desc";  
$query = "SELECT * FROM test WHERE tags LIKE '%".($_GET[value]).",%' order by id desc";  
$strSQL = "INSERT INTO member (User,Password,Name,LastName,Gender,Address,Province,ZipCode,Tel,Email,employee,SID,Active) VALUES ('".$_POST[txtUser]."','".$_POST[txtPass]."', '".$_POST[txtName]."','".$_POST[txtLastName]."' ,'".$_POST[rdoGender]."','".$_POST[txtAddress]."', '".$_POST[txtProvince]."','".$_POST[txtZipCode]."','".$_POST[txtTel]."', '".$_POST[txtEmail]."','USER','employee','".session_id()."','No')";  
$strSQL = "SELECT * FROM user WHERE username = '".trim($_POST['username'])."' ";  
$strSQL = "INSERT INTO user (username,password,lastname,address,tel,email) VALUES ('".$_POST["username"]."', '".$_POST["password"]."','".$_POST["lastname"]."','".$_POST["address"]."' ,'".$_POST["tel"]."' ,'".$_POST["email"]."')";  
$query ="SELECT  id_name,date0,total FROM `service` where m = '".$_GET["month"]."' AND Y ='".$_GET["year"]."'";  
$sqldel="Delete From stock_tb_module Where iduser='".$_GET['deluser']."'";  
$seek="Select iduser from stock_tb_module Where iduser='".$_POST['user']."'";  
$sqlsave="INSERT INTO stock_tb_module(iduser,typeuser) Values('".$_POST['user']."','".$_POST['type']."')";  
$sql="Select stock_tb_module.*,tb_user.nameuser,tb_user.surname From stock_tb_module INNER JOIN tb_user ON stock_tb_module.iduser=tb_user.iduser Where stock_tb_module.iduser='".$_GET['user']."'";  
$sql="UPDATE stock_tb_module SET typeuser='03' Where iduser='".$_GET['id']."'";  
$sql="DELETE From stock_tb_module Where iduser='".$_GET['id']."'";  
$sql="Select * From stock_tb_kind_type where kindid='".$_GET['kindid']."' Order by kindtypeid";  
$sqldetail="INSERT INTO stock_tb_beg_master_sub(nobeg,kindtypeid,total,forbeg,user_name) Value('".$_GET['bk']."','".$_SESSION['sess_kindid'][$kid]."','".$beg[$i]."','".$for[$i]."','$user_name')";  
$sqlk="Select stock_tb_kind_type.*,stock_tb_unit.unitname From stock_tb_kind_type INNER JOIN stock_tb_unit ON stock_tb_kind_type.unitid=stock_tb_unit.unitid Where kindtypeid='".$_GET['id']."'";  
$sql = "SELECT *  FROM saler  WHERE sale_id LIKE '%".$_POST["search"]."%'";  
$sql = "SELECT *  FROM saler  WHERE sale_id LIKE '%".$_POST["keyword"]."%'";  
$strSQL = "SELECT * FROM order_details WHERE pro_id='".$_GET["txtKeyword"]."'";  
$strSQL = "INSERT INTO use_addcomment (src, dst, date_on , stc_station , time_on , car_no , comment , name , tel , email , other) VALUES ('".$_POST["src"]."','".$_POST["dst"]."','".$_POST["date_on"]."', '".$_POST["src_station"]."','".$_POST["time_on"]."','".$_POST["car_no"]."','".$_POST["comment"]."','".$_POST["name"]."','".$_POST["tel"]."','".$_POST["email"]."','".$_POST["other"]."',)";  
$strSQL = "SELECT * FROM bookdata inner join typedata on bookdata.typeid = typedata.typeid WHERE (namebook LIKE '%".$_GET["txtKeyword"]."%' or numberid LIKE '%".$_GET["txtKeyword"]."%' )  ";  
$strSQL = "SELECT * FROM memberdata inner join majordata on memberdata.majorid = majordata.majorid WHERE userid = '".$_GET["userid"]."' ";  
$strSQL = "SELECT * FROM yeumkuendata WHERE userid = '".$_GET['userid']."' ";  
$strSQL = "SELECT * FROM picture WHERE (projectid LIKE '%".$_GET["txtKeyword"]."%' )";  
$strSQL = "SELECT * FROM picture WHERE (projectid LIKE '%".$_GET["txtKeyword"]."%' )"; // เดิม  
$strSQL = "SELECT * FROM picture WHERE projectid LIKE '%".$_GET["txtKeyword"]."%' "; // เปลี่ยน  
$strSQL = "SELECT * FROM picture WHERE projectid LIKE '%".$_GET["txtKeyword"]."%' ";  
select * from tabientb where (tabienno1 and tabienno2) LIKE '%$_POST[search]%'  
$sql = " select * from tabientb where CONCAT(tabienno1, tabienno2) LIKE '%$_POST[search]%' ";  
$sql = " select * from tabientb where (tabienno LIKE '%$_POST[search]%') AND (tabienno2 LIKE '%$_POST[search]%') ";  
select * from tabientb where tabienno1 LIKE '%enno2 LIKE '%$_POST[search]%'  
$strSQL = "INSERT INTO `member`(`username`,`password`,`name`,`lname`) VALUES ('".$_POST['username']."',  
$strSQL = "INSERT INTO memberdata (userid,password,sex,titlename,fname,lname,majorid,email,mempic,status,memregisday) VALUES ('".$_POST["userid"]."',  
$strSQL = "SELECT * FROM orders WHERE OrderID = '".$_GET["OrderID"]."' ";  
$strSQL = "SELECT * FROM student WHERE (class='".$_GET["txtKeyword"]."')";  
$strSQL = "SELECT * FROM yeumkuendata WHERE ykid = '".trim($_POST['ykid'])."' ";  
$strSQL = "INSERT INTO yeumkuendata (userid,numberid,dateborrow,datesetreturn,statusyk) VALUES ('".$_POST["userid"]."',  
$query2 = sprintf('select * from department where d_id=%s',s($con,$_GET['dept']));  
$query2 = sprintf('select * from departmentp inner join personnel on departmentp.ds_id = personnel.ds_id  where departmentp.ds_id=%s',s($con,$_GET['dept']));  
$sel_part = "select * from tblpart where PartID = '".$_POST['chkorder'][$i]."'";  
$sql="select b.pro_name,b.coler,b.pro_year,a.cat_name from category as a inner join product as b on a.cat_id=b.cat_id inner join branch as c on b.id_b=c.id_b where c.id_b='".$_GET['id_b']."' GROUP BY pro_name,coler,pro_year";  
$num_car=mysql_num_rows(mysql_query("select pro_name,coler,pro_year from product where pro_name='".$result1['pro_name']."' and id_b='".$_GET['id_b']."'"))  
$num_car=mysql_num_rows(mysql_query("select pro_name,coler,pro_year from product where pro_name='".$result1['pro_name']."' and coler='".$result1['coler']."' and pro_year='".$result1['pro_year']."' and id_b='".$_GET['id_b']."'"))  
$strSQL = "SELECT * FROM book WHERE dates='".$_POST["myDate1"]."' and btime= '".$_POST["mytime"]."' and status='1' rid = '".$_POST["myRoom"]."' ";  
$strSQLday1 = "SELECT SUM(`INV# AMOUNT`) as Total FROM `orderheader` WHERE `INV# DATE` LIKE '%20160901%' AND `ORDER DATE` LIKE '%20160901%' AND `SALESMAN` LIKE '43406'  "; /* WHERE (TERM_NO LIKE '%".$_GET["txtKeyword"]."%') */  
$query_rs_type="SELECT * FROM product_type WHERE gr_id ='".$_GET['lsgroup']."' ";  
$strSQL = "SELECT * FROM calendar WHERE ((year = '".trim($_POST['year'])."' and month = '".trim($_POST['month'])."'  
$strSQL = "INSERT INTO calendar (title,color,year,month,day,time_start,time_end,Email) VALUES ('".$_POST["title"]."','".$_POST["color"]."','".$_POST["year"]."','".$_POST["month"]."',  
$sql="insert into ems (ems) values ('".$_POST['ems']."')";  
$strSQL = "SELECT  * FROM customer  WHERE (CustomerID LIKE '%".$_GET["txtKeyword"]."%' or Email LIKE '%".$_GET["txtKeyword"]."%' )";  
$strSQLdel = "DELETE FROM tblmyfiles WHERE ID = '".$_GET["ID"]."'";  
$sqltxtQty = "SELECT product_amount FROM product WHERE product_id ='".$_POST["txtProductID"]."'" ;  
$strSQL = "SELECT * FROM files WHERE (Name='".$_GET["txtKeyword"]."' or keyword='".$_GET["txtKeyword"]."' )";  
$strSQL = "SELECT * FROM files WHERE (Name LIKE '%".$_GET["txtKeyword"]."%' or keyword LIKE '%".$_GET["txtKeyword"]."%' )";  
$sql="UPDATE assessment_kpi SET score='".$_POST['score'][$i]."', head='".$_POST['head'][$i]."' where id_kpi='".$_POST['id'][$i]."' ";  
$sql = $sql="UPDATE assessment_kpi SET score='".$_POST['score'][$i]."', head='".$_POST['head'][$i]."' where id_kpi='".$_POST['id'][$i]."' ";  
$strSQL = "INSERT INTO Scan (RFID,Date,Time,Late) VALUES ('".$_POST["txtStudentID"]."','".date("Y-m-d")."' ,'".date("H:i:s")."','".$timeDiff."')";  
$sql="Update member set Password='".$_POST["txtPass"]."',Name='".$_POST["txtName"]."',LastName='".$_POST["txtLastName"]."',Gender='".$_POST["rdoGender"]."',Address='".$_POST["txtAddress"]."',Province='".$_POST["txtProvince"]."',ZipCode='".$_POST["txtZipCode"]."',Tel='".$_POST["txtTel"]."',Email='".$_POST["txtEmail"]."' where MemberID=$id";  
$stmt=$db->prepare("delete from multiupload where id ='".$_GET['id']."'");  
$strSQL = "SELECT * FROM location_marker WHERE Locationname_id ='$_GET[Locationname_id]'";  
$strSQL = "SELECT * FROM location_areaname WHERE Locationname_id ='$_GET[Locationname_id]'";  
$strSQL = "SELECT * FROM location_polylinename WHERE Locationname_id ='$_GET[Locationname_id]'";  
$rs = mysql_query("SELECT * FROM tb_applyjob WHERE jid = $_GET[jid]");  
$strSQL = "SELECT * FROM family WHERE family_name_th = '".$_POST["txtfamily_name_th"]."' ";  
$strSQL = "SELECT asset FROM tbl_asset WHERE 1 AND asset = '".$_POST["sCusID"]."'";  
$query2 = sprintf('update orders set orders_status=2 where orders_id=%s',s($con,$_POST['orid']));  
$strSQL = "SELECT * FROM animal WHERE animal_id = '".$_GET["CusID"]."' ";  
$sql = "insert into uploadimags(name,date,image) value('".$_POST['Name']."','".date('Y-m-d H:i:s')."','".$new_images."')";  
$sqll = "select * from uploadimags where name = '".$_POST['Name']."'";  
$query1="SELECT * from tag_work_building_2  where id = '$_GET[id]'";  
$strSQL = "INSERT INTO calendar (title,year,month,day,time_start,time_end) VALUES ('".$_POST["title"]."','".$_POST["year"]."','".$_POST["month"]."',  
$query = sprintf('select * from event where id_event="%s"',s($con,$_GET['idv']));  
select * from event where id_event= $_GET['id_event']  
$strSQL = "SELECT * FROM customer WHERE 1 AND Customer_Code = '".$_POST["sCusID"]."' ";  
$sql="select * from tabletb where id='$_GET[id]'";  
พอจะ $sql="select * from tabletb where id='$_GET[id]'"; ก็ไม่มีค่า $_GET[id] ส่งมาค่ะ  
$sql_cate="select * from category where id='$_GET[id]'";  
$sql = "select * from table_name where id = '$_GET['id']' ";  
$sql = "select * from employee where name like '%{$_POST['itemname']}%'  or duty like '%{$_POST['itemname']}%'";  
$strSQL = "SELECT * FROM packing WHERE ProductID = '".$_GET["FilesID"]."' " ;  
$strSQL = "SELECT * FROM flavor WHERE ProductID = '".$_GET["FilesID"]."' ";  
///$strSQL = "SELECT * FROM  idp3  WHERE (day LIKE '%".$_GET["txtKeyword"]."%' or  day LIKE '%".$_GET["txtKeyword"]."%' )";  
$strSQL = "SELECT * FROM tbl_item,rentorder WHERE (tbl_item.TERM_NO LIKE '%".$_GET["txtKeyword"]."%' and rentorder.TERM_NO LIKE '%".$_GET["txtKeyword"]."%')";  
$strSQL = "SELECT * FROM tbl_item WHERE (tbl_item.TERM_NO LIKE '%".$_GET["txtKeyword"]."%')";  
$strSQL2 = "SELECT * FROM rentorder WHERE (rentorder.TERM_NO LIKE '%".$_GET["txtKeyword"]."%')";  
$strSQL = "SELECT * FROM number WHERE username ='".trim($_POST['usernamelogin'])."'  
$strSQL2 = "INSERT INTO files (PicName,FilesName) VALUES ('".$_POST["txtPicName"]."','".$_FILES["filUpload"]["name"]."')";  
$strSQL2 = "INSERT INTO files (ID,PicName,FilesName) VALUES ('".$insertID."',".$_POST["txtPicName"]."','".$_FILES["filUpload"]["name"]."')"; // เพิ่ม Field ID ใน table file  
$res = $mysqli->query("SELECT * FROM article WHERE article_id =".$_GET['u']);  
$query2= sprintf ('select * from product where pro_no="%s" ',s($con,$_GET['id_del']));  
$query = sprintf('delete from product where pro_no="%s" ',s($con,$_GET['id_del']));  
$q="SELECT * FROM car WHERE date(timego)>='".date("Y-m-d",$_GET['start'])."'  ";  
$objQuery1 = "SELECT * FROM Register where $ddlSelect LIKE '%".$_POST["txtKeyword"]."%'" ;  
; //*** Insert Record ***// $objConnect = mysql_connect(localhost","adtec","adtec1234") or die("Error Connect to Database"); $objDB = mysql_select_db("adtec"); mysql_query("SET character_set_results=utf8"); mysql_query("SET character_set_client=utf8"); mysql_query("SET character_set_connection=utf8"); $strSQL = "INSERT INTO album"; $strSQL .="(AlbumName,AlbumShot,Details,Male,Female,Tim,one,two,tre,four,five,note) VALUES ('".$_POST["txtAlbumName"]."','".$fileName."','". $_POST["Namer"]."','". $_POST["M"]."','". $_POST["F"]."','". $_POST["more"]."','". $_POST["textfield4"]."','".$_POST["textfield5"]."','".$_POST["textfield6"]."','".$_POST["textfield7"]."','".$_POST["textfield8"]."','".$_POST["textfield"]."')"; $objQuery = mysql_query($strSQL); mysql_close($objConnect); } ?> 
แก้ตรง $sql_data = "update tb_order set paystatus='$_POST[paystatus]' where refid = '$_POST[refid2]'"; รึป่าวครับ..  
mysql_query("INSERT INTO contact (id,message,name,phone,email,dateregist,timeregist) values('', '$_POST[message]','$_POST[name]','$_POST[phone]','$_POST[email]','$e_date', '$etime')") or die ("Cannot Add Database");  
$strSQL = "SELECT * FROM customer WHERE 1 AND CustomerID = '".$_POST["sCusID"]."' OR Email = '".$_POST["eMail"]."' ";  
$sort = mysqli_query ($con,"SELECT order_no FROM choose where Ad_num =".$_GET['pno'] );  
$strSQL = "SELECT * FROM product WHERE Supplier_ID = '".$_GET["Supplier_ID "]."' ";  
$strSQL = "SELECT * FROM radio_member WHERE Username = '".trim($_POST['txtUsername'])."' ";  
$strSQL = "INSERT INTO radio_member (Username,Password,Name) VALUES ('".$_POST["txtUsername"]."',  
$resultms = mysql_query("update ms set actqty = actqty-'".$_POST["qty$i"]."' where shopcode='".$_GET["shopcode"]."' AND  productid = '".$_POST["productid$i"]."'");  
$strCHECKms = "SELECT * FROM  ms WHERE shopcode = '".$shop."' AND productid = '".$_POST["productid$i"]."'";  
$resultoshop = mysql_query("update ms set actqty = actqty + '".$_POST["qty$i"]."' where shopcode='".$shop."' AND  productid = '".$_POST["productid$i"]."'");  
$resultcheckstock = mysql_query("update  checkstock set status = 'Y' where shopcode='".$_GET["shopcode"]."' AND  productid = '".$_POST["productid$i"]."'");  
insert into ตรงนี้ เอาค่า $_POST['province_id][$i] ไปเก็บ  
$sql="select * from  time_sample where team='".$_POST['Require']."' and day_='".$_POST['day_']."' order by id desc";  
$sql="select * from sample_user where id_staff='".$arr['id_staff']."' and day_='".$_POST['day_']."'";  
$sqlup ="update stock set stock = stock - '".$_POST["txt_stock"]."' where `p_id`= '".$_POST["txt_id"]."'";  
$sqlup ="update stock set stock = stock - '".$_POST["txt_stock"][$i]."' where `p_id`= '".$_POST["txt_id"][$i]."'";  
$strSQL2 = "SELECT * FROM orders_detail WHERE o_id = '".$_GET["o_id"]."' ";  
//$strSQL = "SELECT * FROM products,bom WHERE (Pro_ID LIKE '%".$_GET["txtKeyword"]."%')";  
$strSQL = "INSERT INTO files (Name,FilesName) VALUES ('".$_POST["txtName"]."','".$_FILES["filUpload"]["name"]."')";  
$strSQL = "INSERT INTO files (Name,FilesName,upload) VALUES ('".$_POST["txtName"]."','".$_FILES["filUpload"]["filUpload2"]["name"]."')";  
$strSQL = "SELECT * FROM bk_room_type WHERE room_type_name = '".trim($_POST['room_type_name'])."'";  
$strSQL = "SELECT * FROM bk_building WHERE building_name = '".trim($_POST['building_name'])."'";  
$strSQL = "SELECT * FROM bk_janitor WHERE janitor_name = '".trim($_POST['janitor_name'])."'";  
$strSQL = "SELECT * FROM bk_member_title WHERE titlename = '".trim($_POST['titlename'])."'";  
$strSQL = "SELECT * FROM bk_member_majorname WHERE majorname = '".trim($_POST['majorname'])."'";  
Result=mysql_query("INSERT INTO tb_example (Booking_ID,Province_ED) VALUES ('".$Booking_ID."','".$_POST['Province_ID'][$i]."')");  
$strSQL = "SELECT * FROM customer WHERE (billing LIKE '%".$_GET["txtCredit"]."%' AND billing LIKE '%".$_GET["txtCash"]."%' )";  
$sql_up = "update product set ProductCode='$_POST[txtProductCode]', ProductName='$_POST[txtProductName]',Description='$_POST[txtDescription]', Price='$_POST[txtPrice]',PriceNormal='$_POST[txtPriceNormal]', PriceSend='$_POST[txtPriceSend]',Stock='$_POST[txtStock]', Promotion='$_POST[rdoPromotion]',New='$_POST[rdoNew]' where ProductID='$_GET[ProductID]'";  
$sql_up = "update product set Picture='$file_name' where ProductID='$_GET[ProductID]'";  
$sql_up = "update product set  Picture='$file_name',ProductCode='$_POST[txtProductCode]', ProductName='$_POST[txtProductName]',Description='$_POST[txtDescription]', Price='$_POST[txtPrice]',PriceNormal='$_POST[txtPriceNormal]', PriceSend='$_POST[txtPriceSend]',Stock='$_POST[txtStock]',Promotion='$_POST[rdoPromotion]',New='$_POST[rdoNew]' where ProductID='$_GET[ProductID]'";  
$sql_update = "update product set Picture='$file_name' where ProductID='$_GET[ProductID]'";  
$sql_up = "update product set  Picture='$file_name',ProductCode='$_POST[txtProductCode]', ProductName='$_POST[txtProductName]',Description='$_POST[txtDescription]', Price='$_POST[txtPrice]',PriceNormal='$_POST[txtPriceNormal]', PriceSend='$_POST[txtPriceSend]',Stock='$_POST[txtStock]', Promotion='$_POST[rdoPromotion]',New='$_POST[rdoNew]' where ProductID='$_GET[ProductID]'";  
$query = "SELECT * FROM amount_cus where = " .$_GET['edit_id'];  
$strSQL = "INSERT INTO conven (convenID,dormitoryID,coname,costatus) VALUES (NULL,'$convenroomid','".$_POST["conven"][$i]."','T')";  
$StrSql = "Select * from picupload WHERE ServiceCode LIKE '%".$_GET["txtKeyword"]."%'";  
$strSQL = "SELECT * FROM history_med WHERE (id_run LIKE '%".$_POST["recvid"]."%'  )";  
$strSQL = "SELECT MAX(milesin) as max_milesin FROM ots_table WHERE carlicense  = '".$_GET["item"]."' ORDER BY carlicense ASC";  
$strSQL ="SELECT MAX(milesin) as max_milesin FROM ots_table WHERE carlicense  = '".$_GET["item"]."' ORDER BY carlicense ASC";  
$strSQL ="SELECT MAX(milesin) as max_milesin FROM ots_table WHERE carlicense = '".$_POST["item"]."' ORDER BY carlicense ASC";  
$result= mysql_query("SELECT MAX(milesin) as max_milesin FROM ots_table WHERE carlicense = '".$_POST["item"]."' ORDER BY carlicense ASC");  
echo $strSQL = "UPDATE article SET topic = '".trim($_POST['topic'])."'  
$strSQL = "SELECT * FROM member WHERE Username = '".trim($_POST['txtUsername'])."' and Password = '".trim($_POST['txtPassword'])."' and Active = 'Yes' ";   
SELECT * FROM ( select * from personal where p_id=".($_GET['p_id']*1).") per  
$strSQL = "SELECT * FROM tbRoom WHERE ID_Room = '".$_GET["RoomID"]."' ";  
$q="SELECT *  FROM doctable WHERE name='หมอหนึ่ง' ORDER by date(timego)>='".$_GET['start']."'  ";  
$q="SELECT *  FROM doctable WHERE name='$roo_id' ORDER by date(timego)>='".$_GET['start']."'  ";  
$q="SELECT *  FROM doctable WHERE id='$roo_id' ORDER by date(timego)>='".$_GET['start']."'  ";  
$q="SELECT * FROM doctable WHERE date(timego)>='".$_GET['start']."'  ";  
$q="SELECT * FROM doctable WHERE name='$roo_id' ORDER by date(timego)>='".$_GET['start']."'  ";  
$sqld = "DELETE FROM brand WHERE id='".$_GET['did']."'";  
$result = mysql_query("update product set qty = qty - '".$_POST["txtQty$i"]."' where ProductID = '".$_POST["txtProductID2$i"]."'");  
$strSQL3 = "SELECT * FROM tb_ps WHERE PS_id = '".$_GET['id']."' ";  
$strSQL2 = "SELECT * FROM tb_ps WHERE PS_sale LIKE '%".$_GET['txtkeyword']."%' ";  
$sql = "UPDATE files SET filestatus = '$status' where FileID = '".$_POST['FileID']."'";  
mysql_query("UPDATE member SET m_view=(m_view+1) WHERE m_id = '".$_GET["id"]."' AND m_line = '".$_GET["line"]."'" );  
$sqls="SELECT * FROM member where m_id ='".$_GET[id]."' AND m_line = '".$_GET[line]."'";  
$sqls="SELECT * FROM member where m_id ='".$_GET[id]."' AND m_line = '".$_GET[line]."' ";  
$strSQL = ("INSERT INTO history_med(id_person,name_med,value_med) VALUES('"."','".$_POST["xx"]."','".$_POST["xy"]."')") ;  
$q="select * from member where k_name like'$_GET[name]%' and k_age like'$_GET[age]%' and k_sex like '$_GET[sex]%' and k_address like '$_GET[s]%' and k_date like '$_GET[k_date]%'";  
$sql ='SELECT * FROM member WHERE u_ser = "'.$_POST['i_ur'].'"';  
$strSQL2 = "UPDATE product SET product_qty = product_qty - ".$rs['product_qty']." WHERE product_id = '".$_REQUEST['product_id']."'";  
$sql3 = "select * from send where send_id = '$_GET[user_send_id]'";  
$sql = " insert into book( book_id, book_name , book_detail, typebook_id) VALUES ( null, '$bookname', '$_POST[book_detail]', '$_POST[typebook_id]');";  
$sql = " insert into send ( send_id, user_id, book_id , subject , send_key, send_date, send_time) VALUES ( null, '$sender', '$res' , '$_POST[subject]','$key', '$today' , '$time');";  
$sql = " insert into send_detail ( send_id , user_id , vision , open , approve) VALUES ( '$res2', '$user_send[$i]', '0', '0' ,'$_POST[approve]' );";  
$sql = " insert into book( book_id, book_name, book_pdf , book_detail, typebook_id) VALUES ( null, '$bookname','$bookpdf', '$_POST[book_detail]', '$_POST[typebook_id]');";  
$sql = " insert into send ( send_id, user_id, book_id , subject ,send_key, send_date, send_time) VALUES ( null, '$sender', '$res' , '$_POST[subject]','$key' ,'$today' , '$time');";  
$sql = " insert into send_detail ( send_id , user_id , vision , open , approve) VALUES ( '$res2', '$user_send[$i]', '$vision[$i]', '0' ,'$_POST[approve]' );";  
$sql1 = "select * from court where court_time = '".$_GET["item"]."'";  
$CardSQL = "SELECT member.*, profile.IDnumber, profile.dbirth, profile.mbirth, profile.ybirth FROM member LEFT JOIN profile ON member.IDstd = profile.IDstd WHERE member.class = '".$_POST["class"]."' AND member.room = '".$_POST["room"]."' AND member.yearin = '".$_POST["yearin"]."' ORDER BY member.IDstd ASC";  
$First = "SELECT member.*, profile.IDnumber, profile.dbirth, profile.mbirth, profile.ybirth FROM member LEFT JOIN profile ON member.IDstd = profile.IDstd WHERE member.class = '".$_POST["class"]."' AND member.room = '".$_POST["room"]."' AND member.yearin = '".$_POST["yearin"]."' ORDER BY member.IDstd ASC LIMIT 0,1";  
$Last = "SELECT member.*, profile.IDnumber, profile.dbirth, profile.mbirth, profile.ybirth FROM member LEFT JOIN profile ON member.IDstd = profile.IDstd WHERE member.class = '".$_POST["class"]."' AND member.room = '".$_POST["room"]."' AND member.yearin = '".$_POST["yearin"]."' ORDER BY member.IDstd DESC LIMIT 0,1";  
$strSQL =" UPDATE request_color a JOIN printer_color b ON a.RequestPC = b.Printer_Color_ID SET b.ColorTotalNumber = '$ColorBalance1'  WHERE a.RequestID = '".$_GET["id"]."' ";  
$strSQL1 = "UPDATE meeting_list SET mstatus = 'S' where id = '".$_GET["id"]."' ";  
$CardSQL = "SELECT member.*, profile.IDnumber, profile.dbirth, profile.mbirth, profile.ybirth FROM member LEFT JOIN profile ON member.IDstd = profile.IDstd WHERE member.class = '".$_POST["class"]."' AND member.room = '".$_POST["room"]."' AND member.yearin = '".$_POST["yearin"]."' LIMIT 0, 6";  
SELECT member.*, profile.IDnumber, profile.dbirth, profile.mbirth, profile.ybirth FROM member LEFT JOIN profile ON member.IDstd = profile.IDstd WHERE member.class = '".$_POST["class"]."' AND member.room = '".$_POST["room"]."' AND member.yearin = '".$_POST["yearin"]."' LIMIT 0, 6  
$strSQL = "SELECT * FROM tblmember WHERE Email = '".trim($_POST['Email'])."' ";  
$strSQL = "SELECT * FROM tblmember WHERE (FirstName LIKE '%".$_GET["txtKeyword"]."%' or Lastname LIKE '%".$_GET["txtKeyword"]."%' and Class='ผ่านการอนุมัติ') ";  
$sql_mem = "update member set fname ='$_POST[fname]',name ='$_POST[name]',birthday ='$_POST[birthday]',address ='$_POST[address]',road ='$_POST[road]',district ='$_POST[district]',city ='$_POST[city]',province ='$_POST[province]',country ='$_POST[country]',zipcode ='$_POST[zipcode]',phone ='$_POST[phone]',fax ='$_POST[fax]',mobile ='$_POST[mobile]',email ='$_POST[email]' where usermem = '$_POST[usermem]'";  
$sql = "update send_detail set open='1' where send_id='$_GET[send_id]' and user_id = $k ";  
$sql="select * from book , send ,send_detail , user , typebook where send_detail.user_id = $a and send_detail.send_id = send.send_id and send.book_id = book.book_id and send.user_id = user.user_id and book.typebook_id = typebook.typebook_id and send.send_id = '$_GET[send_id]' ";  
$sql="select * from user where user_name='$_POST[username]' and user_password='$_POST[password]'";  
$sql2="select * from admin where admin_name='$_POST[username]' and admin_password='$_POST[password]' ";  
$strSQL = "SELECT * FROM product WHERE Supplier_ID = '".$_GET["Supplier_ID"]."' ";  
$sql="INSERT INTO chat (name, texts)VALUES ('$_POST[name]','$_POST[mes]');";  
$strSQL = "SELECT * FROM accounts WHERE Username = '".trim($_POST['Username'])."' ";  
$strSQL = "INSERT INTO accounts (Username,Password) VALUES ('".$_POST["Username"]."',  
$strSQL = "INSERT INTO accounts (Username,Password) VALUES ('".$_POST["Username"]."', '$password')";  
$sqlTb = "SELECT * FROM treatment where date='$_POST[date]'";  
$sql1 ='SELECT * FROM member WHERE username = "'.$_POST['ulog'].'"';  
$sql ="SELECT member.*,profile.* FROM member LEFT JOIN profile ON member.IDstd = profile.IDstd WHERE 1 AND member.IDstd = '".$_POST['searchID']."' ";  
//$sql="SELECT * FROM member WHERE IDstd like '".$_POST['IDstd']."'";  
if($mysql->query(" SELECT * FROM [tb_student] WHERE [idStudent] like '".$_POST['ids']."'") > 0 ){  
$sql="SELECT * FROM member WHERE IDstd like '".$_POST['IDstd']."'";  
$sql = "INSERT INTO students ('name', 'last_name') VALUES('" . $_POST['student_name'][$i] . "', '" . $_POST['student_last_name'][$i] . "')";  
$res = $mysqli->query("SELECT * FROM ven_rent WHERE id_van = ".$_GET['u']);  
$strSQL = "SELECT * from objective WHERE ob_quiz_id = ".$_POST["chkColor"][$i]."";  
$strSQL = "SELECT * FROM member WHERE Username = '".trim($_POST['txtUsername'])."' ";  
$strSQL = "INSERT INTO member (Username,Password,Name,Status) VALUES ('".$_POST["txtUsername"]."',  
$strSQL = "SELECT * FROM course WHERE Id_Course = '".$_GET["Id_Course"]."' ";  
$sql1="SELECT * FROM user WHERE username='".$_GET['username']."'";  
$sql = "select * from po where POID like '%{$_POST['POID']}%'";  
$query = "SELECT * FROM teacher WHERE (T_user='".$_POST["txtT_user"]."') AND (T_pw='".$_POST["txtT_pw"]."')";  
$test_query="SELECT * FROM login WHERE username = '".$_POST['form-username']."'";  
$strSQL = "SELECT * FROM subject WHERE subject = '".trim($_POST['txtsubject'])."' ";  
$strSQL = "INSERT INTO subject (subject,course_description) VALUES ('".$_POST["txtsubject"]."','".$_POST["txtcourse_description"]."')";  
$strSQL = "SELECT * FROM course INNER JOIN type_course ON course.type_cou_id=type_course.tp_cou_id WHERE cou_id = '".$_GET['cou_id']."' ";  
$strSQL = "SELECT * FROM po2016 WHERE Po_number = '".$_GET["Po_number"]."' ";  
$strSQL1 = " SELECT * FROM drb_product WHERE drb_pd_code = 'GL-ES-".$_POST["drb_pd_codeSE"]."' ";  
$strSQL2 = " SELECT * FROM drb_product_up WHERE drb_pd_codeT = '".$_POST["drb_pd_codeT"]."' ";  
} else { $strSQL = "SELECT * FROM city WHERE ProvinceID ='".$_GET["proid"]."' ORDER BY CityNameT ASC";  
} else { $strSQL = "SELECT * FROM district WHERE CityID ='".$_GET["ampid"]."' ORDER BY DistrictNameT ASC";  
$strSQL = "SELECT * FROM webboard  WHERE QuestionID = '".$_GET["QuestionID"]."' ";  
$strSQL2 = "SELECT * FROM reply  WHERE QuestionID = '".$_GET["QuestionID"]."' order by  replyID desc";  
$sql='SELECT * FROM tbl_member WHERE user = "'.$_POST['username'].'"';  
$sql1="INSERT INTO tbl_member value ('','".$_POST['name']."','".$_POST['username']."','".$_POST['mail']."','".$_POST['tel']."')";  
$strSQL2 = "SELECT * FROM orders_detail WHERE OrderID = '".$_GET["OrderID"]."' ";  
$strSQL = "SELECT * FROM slideshow WHERE slide_title = '".$_GET["CusID"]."' ";  
$up_Leave = "UPDATE leave_leave SET  Quota_id='$_POST[Quota_id]',  
$strSQL = "SELECT * FROM data_course WHERE cou_id = '".$_GET['cou_id']."' ";  
$sql_select_playlista     = "select * from playlist where p_playlist_name = '".$_GET['pid']."'order by p_Order ";  
$strSQL = "SELECT * FROM quotas WHERE Quota_id = '".$_POST["Quota_id"]."' ";  
$strSQL = "SELECT * FROM member WHERE Username = '".trim($_POST['txtUsername'])."'  
$sql="select * from question where subject_id='$_GET[subject_id]' ";  
$sql="select * from choice where question_id='$_GET[question_id]' ";  
$strSQL = "SELECT * FROM it_rep_form WHERE rep_no = '".$_GET["rep_no"]."' ";  
$strSQL = "SELECT * FROM customer WHERE 1 AND CustomerID = '".$_POST["sCusID"]."' ";  
$strSQL = "SELECT hex(pic1) FROM 2016_mission WHERE mission_id = '".$_GET["mission_id"]."' ";  
$strSQL = "SELECT * FROM product WHERE (id_prd LIKE '%".$_GET["txtKeyword"]."%' or ProductName LIKE '%".$_GET["txtKeyword"]."%' )";  
$strSQL = "SELECT * FROM customer WHERE displayname = '".trim($_POST['txtUsername'])."'  
$strSQL = "update customer set namecus=". "'". $_POST["name"] ."'". ",";  
$sql="select * from allotment_item where hotel_id='".$_REQUEST["id"]."' and status='1' order by no_id ";  
$sql2="SELECT * FROM joinus WHERE eventstypecode='".$_POST["eventstypecode"]."'";  
$sql1="SELECT * FROM joinus WHERE passport = '".$_POST["scan"]."'";  
$sq1 = INSERT INTO strengthkf(keyID, strID)  VALUES ('.$_POST['chkKey'][$key].','.$strID.'); //get keyI">   
$sq1 = "UPDATE strengthkf SET keyID = '".$_POST['chkKey'][$key]."'  
$strSQL = "SELECT * FROM member WHERE MemberID = '".$_POST["MemberID"]."' ";  
$strSQL = "UPDATE member SET Username = '".$_POST["Username"]."', Password = '".$_POST["Password"]."', Name_member = '".$_POST["Name_member"]."', Addr_member = '".$_POST["Addr_member"]."'  
$strSQL = "SELECT product_id, Qty FROM orders_detail where order_detail_id = ".($_REQUEST['order_detail_id'] * 1);  
$strSQL = "SELECT * FROM customer WHERE CustomerID = '".$_POST["CustomerID"]."' ";  
$strSQL = "UPDATE customer SET Name_cus = '".$_POST["Name_cus"]."', Address = '".$_POST["Address"]."',  
$strSQL1 = "SELECT * FROM tb_memfamily WHERE mem_id = '".$_GET['mem_id']."' ";  
$strSQL = "SELECT * FROM product WHERE productno = '".$_GET["productno"]."'";  
$sql_insert="INSERT INTO tbl_recived (a,b,c,d,e,f,g)VALUES('$_GET[a]','$_GET','$_GET[c]','$_GET[d]','$_GET[e]','$_GET[f]',NOW())";  
INSERT INTO tbl_recived (a,b,c,d,e,f,g)VALUES('$_GET[a]','$_GET','$_GET[c]','$_GET[d]','$_GET[e]','$_GET[f]',NOW())";  
$sql = "select * from  diagnosis where di_opt1= '$_REQUEST[s1]' && di_opt2= '$_REQUEST[s2]'  && di_opt3= '$_REQUEST[s3]'  && di_opt4= '$_REQUEST[s4]'  ";  
$strSQL = "SELECT * FROM employee WHERE Department = '".$_POST["department"]."' "  
$strSQL = "INSERT INTO koreanfood (con_name,con_email,con_phone,con_message) VALUES ('".$_POST["txt_name"]."',  
$strSQL = "INSERT INTO koreanfood (con_name,con_email,con_phone,con_message,date) VALUES ('".$_POST["txt_name"]."',  
$strSQL = "INSERT INTO info (Name,Skul,Age) VALUES ('".$_POST["txt_name"]."',  
$sql="update tb_student set stu_name='$stu_name', address='$address', status='$status' where stu_id='{$_POST['txtid']}' ";  
$sql="select * from tb_student where stu_id='{$_GET['id']}' ";  
$sql="delete from tb_student where stu_id='{$_GET['id']}'";  
$sql="UPDATE  tb_student SET stu_name='$stu_name', address='$address', status='$status' where stu_id=".$_POST['txtid'];  
$strSQL = "INSERT INTO orders (datetime,name,address,payment,date,tel,mail) VALUES ('".date("Y-m-d H:i:s")."','".$_POST["name"]."','".$_POST["address"]."','".$_POST["payment"]."','".$_POST["date"]."','".$_POST["tel"]."','".$_POST["mail"]."') ";  
$sql = "SELECT * FROM menu WHERE menu_name  LIKE  ('".$_POST["search"]."')%";  
$sqlr = "UPDATE  proresult set EmployeeID='".$_POST['EmployeeID'][$i]."', Name='".$_POST['ResourceName'][$i]."', RoleName='".$_POST['RoleName'][$i]."', Category='".$_POST['ResourceCategory'][$i]."', Email='".$_POST['ResourceEmail'][$i]."', TelNo='".$_POST['ResourceTelNo'][$i]."', ResourceDeparment='".$_POST['ResourceDepartment'][$i]."' where ppid ='$ide'";  
$sqlr = "UPDATE  proresult set EmployeeID='".$_POST['EmployeeID'][$i]."',  
$sqlr = "UPDATE  proresult set EmployeeID='".$_POST['EmployeeID$i']."',  
$strSQL2 = "INSERT INTO trans (datetime,name,address,date) VALUES ('".date("Y-m-d H:i:s")."','".$_POST["name"]."','".$_POST["address"]."' ,'".$_POST["date"]."') ";  
$strSQL = "SELECT * FROM vehicle_tb WHERE (1 AND serial = '".$_POST["sserial"]."' OR assetNumber = '".$_POST["assetNumber"]."') and assetNumber !='' ";  
$strSQL = "SELECT * FROM ordername WHERE id_order = '".$_GET["OrderID"]."' ";  
$strSQL2 = "SELECT * FROM order_detial WHERE id_order = '".$_GET["OrderID"]."' ";  
50.$strSQL2 = "SELECT * FROM order_detial WHERE id_order = '".$_GET["OrderID"]."' ";  
/*$strSQL = "INSERT INTO s_scroll (m_username,m_password,m_name ,m_lastname ,m_level) VALUES ('".$_POST["txtUsername"]."',  
$strSQL = "INSERT INTO s_scroll (s_name, s_text, s_color, s_bg, s_font, s_size, s_speed) VALUES ('".$_POST["T_Name"]."','".$_POST["T_Text"]."','".$_POST["T_Color"]."','".$_POST["T_BG"]."','".$_POST["T_Font"]."','".$_POST["size"]."','".$_POST["speed"]."')";  
$strSQL = "SELECT * FROM webboard WHERE QuestionID = '".$_GET["QuestionID"]."' ";  
if(!mysqli_query($objCon,"INSERT INTO reply (QuestionID,CreateDate,Details,Name) VALUES ('".$_GET["QuestionID"]."','".date("Y-m-d H:i:s")."','".$_POST["txtDetails"]."','".$_POST["txtName"]."') ")){  
$strSQL2 = "SELECT * FROM reply WHERE QuestionID = '".$_GET["QuestionID"]."' ";  
$strSQL1 = "SELECT * FROM product WHERE ProductName LIKE('".$_GET["ProductName"]."')";  
$strSQL = "SELECT * FROM member WHERE PerId = '".trim($_POST['txtPerId'])."' ";  
$strSQL = "SELECT * FROM member WHERE DriveId = '".trim($_POST['txtDriveId'])."' ";  
$strSQL = "SELECT * FROM member WHERE Tel = '".trim($_POST['txtTel'])."' ";  
$strSQL = "SELECT * FROM member WHERE Email = '".trim($_POST['txtEmail'])."' ";  
$strSQL = "UPDATE customer SET Name = '".$_POST["txtName"]."'  
$strSQL = "SELECT * FROM addinform WHERE ID_Inform= '".$_GET["ID_Inform"]."' ";  
$strCHECK = "SELECT * FROM  checkstock WHERE shopcode = '".$_GET["shopcode"]."' AND productid = '".$_POST["productid$i"]."'";  
$result = mysql_query("update product set qty = qty + '".$_POST["qty$i"]."' where ProductID = '".$_POST["productid$i"]."'");  
$resultms = mysql_query("update ms set actqty = actqty - '".$_POST["qty$i"]."' where shopcode='".$_GET["shopcode"]."' AND  productid = '".$_POST["productid$i"]."'");  
$strCHECKms = "SELECT * FROM  ms WHERE shopcode = '".$_POST["toshop"]."' AND productid = '".$_POST["productid$i"]."'";  
$resultoshop = mysql_query("update ms set actqty = actqty + '".$_POST["qty$i"]."' where shopcode='".$_POST["toshop"]."' AND  productid = '".$_POST["productid$i"]."'");  
$strSQL = "SELECT * FROM person WHERE Person_ID LIKE '%".$_GET["txtKeyword"]."%' ";  
$sql = "INSERT INTO durable_goods VALUES('$_POST[Dg_idtxt]',$Dg_Income,'$_POST[Dg_nametxt]' ,'$POST[Dg_Brandtxt]','$_POST[Dg_Typetxt]','$_POST[Dg_colourtxt]', '$_POST[Dg_Sizetxt]','$_POST[PriceToUnittxt]','$_POST[Dg_budgettxt]','$_POST[Notetxt]')";  
$strSQL = "SELECT * FROM customer WHERE CustomerID = '".$_POST["lmName1"]."' ";  
$sql = "SELECT * FROM news WHERE ID_News='{$_GET['ID_News']}' ";  
$sql_a = "SELECT * FROM news WHERE ID_News='{$_GET['ID_News']}' ";  
$strSQL2 = "SELECT * FROM location_area WHERE Locationname_id ='$_GET[Locationname_id]' ORDER BY Locationareaname_id ";  
$strSQL = "SELECT * FROM location_areaname WHERE Locationname_id ='$_GET[Locationname_id]' ";  
$strSQL2 = "SELECT * FROM location_area WHERE Locationname_id ='$_GET[Locationname_id]' ORDER BY Locationareaname_id  ";  
$strSQL2 = "SELECT * FROM location_area WHERE Locationname_id = '$_GET[Locationname_id]' ORDER BY Locationareaname_id";  
$sqlp = "INSERT INTO app_pro (appid, proname, mod, prore, probcp)VALUES('$id', '".$_POST['procname'][$i]."', '".$_POST['idmod'][$i]."','".$_POST['prore'][$i]."','".$_POST['probpc'][$i]."' )";  
$sqlp = "INSERT INTO app_pro (proname, mod, prore, probcp)VALUES( '".$_POST['proname'][$i]."', '".$_POST['mod'][$i]."','".$_POST['prore'][$i]."','".$_POST['probpc'][$i]."' )";  
$strsql = "INSERT INTO test (name)VALUES('".$_POST['test'][$i]."')";  
$sql = "SELECT fac_sci_name, category FROM facultysci WHERE sci_criteria <= '".$_POST['data1']."'";  
$dbname = "SELECT * FROM teacher WHERE (name LIKE '%".$_GET["search"]."%' or phone LIKE '%".$_GET["search"]."%' )";  
$strSQL = "SELECT * FROM comparison WHERE type = '".$_GET["type"]."' ";  
Quote:$strSQL = "SELECT * FROM comparison WHERE type = '".$_GET["type"]."' ";  

หากนำโค้ดในส่วนนี้ไปใช้งานกับเว็บแอพฯจริงๆ อาจทำให้ผู้ที่ไม่ประสงค์ดีหรือแฮกเกอร์เจาะระบบเข้ามาขโมยข้อมูลจากฐานข้อมูลออกไป หรือถึงขั้นยึดเครื่องที่ให้บริการเว็บแอพฯอยู่เลยก็เป็นไปได้ครับ สำหรับการป้องกัน/แก้ไขช่องโหว่ SQL Injection สามารถอ่านได้จาก OWASP: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

ไอเดีย + Regexp: https://github.com/laurent22/so-sql-injections
SQL Injection Prevention Cheat Sheet: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
ปล. เพื่อการศึกษาครับ

1 ความคิดเห็น: