SQL Injection not working on SQL injection vulnerable forms?

Question

I have the following code, which is vulnerable to SQL injection(I think?):

$IDquery = mysqli_query($connection, "SELECT `ID` FROM users WHERE username=$usernamelogin");

I don't escape the $usernamelogin, and that is not a parameterized query. This obviously needs to be fixed, you don't need to point that out, that isn't what this question is about. Before I fix it, I want to make sure I understand how an SQL injection works as well as possible. So, I tried creating a table named "droptable" and inputting the following into the username input:

x; DROP TABLE droptable;

Which I believe should input this SQL query:

SELECT `ID` FROM users WHERE username=x; DROP TABLE droptable;

However, droptable still exists, and the rows in it are untouched. Could anybody tell me why?

For when you do start making it secure after your testing, you're half way there as you use mysqli. Just switch to prepared statements and you're good. http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php/60496#60496 — James, Aug 31 '13 at 01:22

score 1 · Accepted Answer · answered Aug 31 '13 at 05:35

1

mysqli_query() doesn't support multiple query execution.

answered Aug 31 '13 at 05:35

Your Common Sense

156,878
40
214
345

So how is this form vulnerable to SQL injection then? – James G. Aug 31 '13 at 15:19
sql injection doesn't mean "multiple query execution". if you managed to inject some code into query - it is vulnerable to injection – Your Common Sense Aug 31 '13 at 15:32
Oh, I see. Something like `x' or 'username'=$username` could be put into it, but this specific injection doesn't work. Does that mean dropping a table(and other functions, if they aren't already called in the query) are impossible with modern SQL injections? – James G. Aug 31 '13 at 15:37
I'm just trying to gain a fuller understanding of the concept. None of the texts I had read had pointed out that multiple queries weren't supported(except the manual, and I missed it there), so that's something new. – James G. Aug 31 '13 at 15:46
You **still** confuse certain query (used as a mere example) which **doesn't matter** with general concept. Again: a concept of SQL injection is about injecting code, not dropping tables. – Your Common Sense Aug 31 '13 at 15:48
I wouldn't understand graphing if I had never drawn an example graph from an equation, learning by example just seems logical to me. – James G. Aug 31 '13 at 16:02
But you wouldn't draw always the always the same graph out of different equations, would you? – Your Common Sense Aug 31 '13 at 16:10

score 0 · Answer 2 · answered Aug 31 '13 at 00:54

0

You don't have quotes around $usernamelogin so when you supply a string that would produce an error. Either add quotes or supply a number

answered Aug 31 '13 at 00:54

php_nub_qq

15,199
21
74
144

The SQL injection does not seem to work even with quotes. I actually took out the quotes thinking they might be somehow preventing the injection. – James G. Aug 31 '13 at 01:06
Do the same thing you're doing in the question but instead of x put a number – php_nub_qq Aug 31 '13 at 01:09
I tried: `32; DROP TABLE droptable;` but it still didn't drop the table? – James G. Aug 31 '13 at 01:12

SQL Injection not working on SQL injection vulnerable forms?

2 Answers2