Search code examples
phpsql-injection

SQL Injection php

I'm practicing SQL injection.

http://localhost/injection/index.php?id=1%3BDELETE+FROM+users

with this injection, only the first code works.

with second code get this error: Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DELETE FROM users' at line 3

   $pdo = new PDO('mysql:host=localhost;dbname=injection', 'root', '');
   $id = $_GET['id'];
   $statement = $pdo->query("SELECT * FROM users WHERE id = ".$id."");
   $row = $statement->fetch(PDO::FETCH_ASSOC);
   echo htmlentities($row['users']);

  require_once("conn.php");
    $id = $_GET['id'];

     $query = "SELECT *
               FROM users
               WHERE id = ".$id."";
                                                        
      $result = mysqli_query($conn,$query) or die("Error: ".mysqli_error($conn));
      $row = mysqli_fetch_array($result);
      
      echo htmlentities($row['users']);
Solution

  • It seems that mysqli_query does not support multiple query. You should try to use mysqli_multi_query(), but from a security point of view, it is not a good idea.