So I have a server set up to serve payment requests. A user enters their credit card details in a form.
Query to inject here:
$sql = "UPDATE users SET credit_card'".$credit_card."', cvv='".$cvv."', expdate='".$exp."' WHERE userid='".$_SESSION['userid']."'";
I am trying to change another users password from this query.
Where the $credit_card
is posted from a form. Im trying to inject the $credit_card
part by writing my own query and getting rid of the rest by adding ;--
to the end.
The statement I am using for $credit_card
is :
', password='test' where userid='10';--
Now, I am positive this was working yesterday but now the following error appears and I cannot wrap my head around it. Any help please?
Query failed: UPDATE users SET credit_card'', password='test' WHERE userid='20';--, cvv='', expdate='' WHERE userid='20'
Not all database functions accept multiple statements so the ;
delimiter may be considered unexpected input.
The syntax for single-line comments in MySQL is -- Foo
(please note the white space after the double-dash).
If the server code is yours, you can just print the actually error message generated by the server (and not some generic "something went wrong" text). If it isn't, just copy and paste the SQL code from the error message into your favourite MySQL client.