-1

As far as I know, in PHP you can only do one insert statement at a time: (if that's grossly wrong, please don't continue to read the rest :) )

this will not insert any rows:

$query = "insert into users (email) values ('test1');insert into users (email) values ('test2'); ";
$result = mysql_query($query);

Whereas this will insert one row:

$query = "insert into users (email) values ('test1');";
$result = mysql_query($query);

First of all, is what I said so far correct?

If so, does that mean that it is impossible to do a SQL injection similar (just guessing) to this:

$_GET['bad_var'] = '1");drop table users;'
$query = "insert into users (email) values (".$_GET['bad_var'].")";
$result = mysql_query($result);

which would result in insert into users (email) values ("1");drop table users;

Or does the one statement per query assumption prove correct here

d-_-b
  • 21,536
  • 40
  • 150
  • 256
  • 4
    AFAIK, yes the *one statement per query* applies for the mysql extension, as well as PDO. But why bother about SQL injection? Use PDO and [prepared statements](http://php.net/manual/en/pdo.prepared-statements.php) and you'll never have to bother again. – BenMorel Jun 02 '13 at 18:42
  • 2
    Here’s your exploit: `bad_var=(select concat(user,':',password,'@evil.example'))` – Gumbo Jun 02 '13 at 19:12
  • @Benjamin: Actually, PDO supports multi-statements with prepared statement emulation (and mysqlnd, which has been the default MySQL driver for all extensions since PHP v5.4). – eggyal Jun 02 '13 at 19:12

2 Answers2

1

Completely mis-read the initial question, apologies.

To answer the actual question, yes, mysql_query allows you to only perform one statement at a time, mitigating that particular SQL injection vector. See this similar question: How do you do multiple SQL statments in one mysql_query?

Community
  • 1
  • 1
Graham
  • 6,484
  • 2
  • 35
  • 39
1

  1. As far as I know, in PHP you can only do one insert statement at a time: (if that's grossly wrong, please don't continue to read the rest :) )

    It depends. PHP offers several methods of accessing MySQL, some of which support multiple/batch statements, whilst others do not.

    The examples given in your question use the ancient (and now deprecated, as of PHP v5.5) ext/mysql extension, use of which in new code has been explicitly discouraged in the documentation since June 2011. You are correct insofar as the mysql_query() function, which is part of this extension, does not support multiple/batch statements:

    mysql_query() sends a unique query (multiple queries are not supported) to the currently active database on the server that's associated with the specified link_identifier.

    The improved MySQLi extension makes a similar point to your question in its documentation:

    Security considerations

    The API functions mysqli_query() and mysqli_real_query() do not set a connection flag necessary for activating multi queries in the server. An extra API call is used for multiple statements to reduce the likeliness of accidental SQL injection attacks. An attacker may try to add statements such as ; DROP DATABASE mysql or ; SELECT SLEEP(999). If the attacker succeeds in adding SQL to the statement string but mysqli_multi_query is not used, the server will not execute the second, injected and malicious SQL statement.

    Other methods may not provide such protection, however.

  2. If so, does that mean that it is impossible to do a SQL injection

    Whilst preventing a second statement from being executed somewhat mitigates against SQL injection attacks, it does not entirely prevent them. One certainly should not rely on such protection.

eggyal
  • 122,705
  • 18
  • 212
  • 237