So I'm working on an assignment and as part of that, performing an SQL injection on a table i named test, from a form that's used to input values in a table named students.
I've been trying
'; DROP TABLE test; --
I get this error
Error: INSERT INTO student (student_id, first_name, last_name, DOB, sex, phone, user_id) VALUES ('nhdb', ''; DROP TABLE test; -- ', '', '', '', '', 'u01')
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near
'; DROP TABLE test; -- ', '', '', '', '', 'u01')'
at line 1
Originally i was trying to drop the students table, but when I was testing whether the user had the right to drop that table, there were foreign key constraint issues. So I put together a table named test, which can be dropped by the user with no issues.
Any guidance on where i'm going wrong here? I'm sure '; DROP TABLE test; --
should work.
It fails because the rest of the INSERT
-values are commented out in your example. Seven Values are expected but only two provided.
Also the closing bracket )
is missing.
Because the INSERT
fails, the DROP
isn't executed too.
This should work:
', '', '', '', '', ''); DROP TABLE test; --