3 Replies - 387 Views - Last Post: 10 December 2011 - 06:18 AM Rate Topic: -----

#1 morsev  Icon User is offline

  • D.I.C Head

Reputation: -1
  • View blog
  • Posts: 70
  • Joined: 26-September 10

Error in simple Sql Injection Example

Posted 09 December 2011 - 07:19 AM

Hi guys .

i try to make a simple sql injection but the query didn't work i dont know why !!

this is my simple php code :
<form method="get" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<input type="text" name="name" />
<input type="submit" value="click" />
</form>

<?php
if(isset($_GET['name']))
{
mysql_connect('localhost','root','');
mysql_select_db('phonebook');
$select="INSERT INTO names (name) VALUES ('".$_GET['name']."')";
echo $select;
$query=mysql_query($select);
if($query)
	echo "ok";
else
	echo "no";
}
?>



when i write :
Albert

in the textbox and press click .
the name added to data base and print 'ok' on the screen .

but when i write :
qq'); INSERT INTO names (name) VALUES ('rr


the url that apper at the top is :
http://localhost/getdata.php?name=qq%27%29%3B+INSERT+INTO+names+%28name%29+VALUES+%28%27rr

but the query didn't work and print 'no' on the screen .
the $select variable that printed is :
INSERT INTO names (name) VALUES ('qq'); INSERT INTO names (name) VALUES ('rr')


So what is the problem exactly ??

Thanks in advance :)

Is This A Good Question/Topic? 0
  • +

Replies To: Error in simple Sql Injection Example

#2 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 6058
  • View blog
  • Posts: 23,495
  • Joined: 23-August 08

Re: Error in simple Sql Injection Example

Posted 09 December 2011 - 07:43 AM

Topic under discussion...
Was This Post Helpful? 0
  • +
  • -

#3 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 6058
  • View blog
  • Posts: 23,495
  • Joined: 23-August 08

Re: Error in simple Sql Injection Example

Posted 10 December 2011 - 04:52 AM

Re-approved this for the time being.

If you read the manual page on mysql_query, you'll see this:

Quote

mysql_query() sends a unique query (multiple queries are not supported)


You are trying to send multiple queries in a single call, so this won't work.
Was This Post Helpful? 0
  • +
  • -

#4 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 2932
  • View blog
  • Posts: 10,134
  • Joined: 08-August 08

Re: Error in simple Sql Injection Example

Posted 10 December 2011 - 06:18 AM

This is why everyone should be using prepared statements with PDO or MySQLi. There are plenty of people still looking to use SQL injection and prepared statements are immune to them.
Was This Post Helpful? 1
  • +
  • -

Page 1 of 1