SQL Injection and XSS demonstration

inject_xss.php

<?php

	/**
	 * SQL Injection and XSS attacks demonstrated
	 *
	 * Last modified : 5th June 2014
	 */
	

	$SAFE = TRUE;
	$XSS_SAFE = TRUE;

	/**
	 * Connect to the MySQL Database
	 */
	function connect_db() 
	{
		// Connect to the mysql database
		$mysql = mysqli_connect('localhost', 'root', '', 'test');
		if (mysqli_connect_errno()) {
		  echo "Failed to connect to MySQL: " . mysqli_connect_error();
		  die();
		}
		return $mysql;
	}

	/**
	 * Run a query on the database
	 */
	function run_query($query)
	{
		$conn = connect_db();
		echo "<br/>------<br/>" . $query . "<br/>-------</br>";
		return $conn->query($query);
	}

	/**
	 * Parse a request parameter
	 */
	function parse_param($param_value)
	{
		global $SAFE;
		global $XSS_SAFE;

		$safe_value = mysqli_real_escape_string(connect_db(), $param_value);
		$xss_safe_value = htmlentities($safe_value);

		// XSS safe
		if($XSS_SAFE)
		{
			return $xss_safe_value;
		}
		// SQL Injection safe
		else if($SAFE)
		{
			return $safe_value;
		}
		// Unsecure paramter
		else
		{
			return $param_value;
		}
	}

	/**
	 * Insert a user to the database
	 */
	function insert_name($name, $password)
	{
		$query = "INSERT INTO user(username, password) VALUES('".$name."', '".$password."')";
		run_query($query);
	}

	/**
	 * Validate user 
	 */
	function validate($name, $password)
	{
		$query = "SELECT COUNT(*) as cnt FROM user WHERE `username`='".$name."' AND `password`='".$password."'";
		$result = run_query($query);
		while($row = mysqli_fetch_assoc($result))
		{
			return $row['cnt'] > 0;
		}
		return FALSE;
	}

	/**
	 * Get all users in the database
	 */
	function get_records()
	{
		$query = "SELECT * FROM user";
		$result = run_query($query);
		$rows = array();
		while($row = mysqli_fetch_assoc($result))
		{
			$rows[] = $row;
		}
		return $rows;
	}

echo '<a href="/?add">Add</a>&nbsp;&nbsp;
		<a href="?list">List</a>&nbsp;&nbsp;
			<a href="?login">Login</a>';

if(isset($_GET['add']))
{
	echo '<h2>Add</h2>';
	if(isset($_POST['username']))
	{
		$username = parse_param($_POST['username']);
		$password = parse_param($_POST['password']);
		insert_name($username, $password);

	}

	echo '<form action="" method="post">
			<input type="text" name="username"><br/>
			<input type="password" name="password"><br/>
			<input type="submit" value="Save"><br/>
		  </form>';

}
else if(isset($_GET['list']))
{
	echo '<h2>List</h2>';
	$records = get_records();
	$num_records = count($records);

	echo '<table>';
	echo '<th>Name</th><th>Password</th>';
	for($i=0;$i<$num_records;$i++)
	{
		echo '<tr>
				<td>' . $records[$i]['username'] . '</td>
				<td>' . $records[$i]['password'] . '</td>
		 	  </tr>';
	}
	echo '</table>';
}
else if(isset($_GET['login']))
{
	echo '<h2>Login</h2>';
	if(isset($_POST['username']))
	{
		$username = parse_param($_POST['username']);
		$password = parse_param($_POST['password']);
		if(validate($username, $password))
		{
			echo 'Logged in successfully';
		}
		else
		{
			echo 'Failed login!';
		}
	}
	echo '<form action="" method="post">
			<input type="text" name="username"><br/>
			<input type="password" name="password"><br/>
			<input type="submit" value="Save"><br/>
		  </form>'; 
}
else
{

}
?>