PHP MySQL Injection

Question

I have a PHP script with this code:

$sid = $_COOKIE['sid'];
$q = mysql_query("SELECT * FROM `order` WHERE `sid` = '$sid' AND `use` <> 1");

In a MySQL table with name users, I have the following columns: id, name, md5password.

How can I do:

 UPDATE `users` SET `md5password` ='newpassword'`

with a potential SQL injection in PHP? Can you give me an example?

@Quentin I don't think so. The OP seems to want to perform the injection. — mavrosxristoforos, Oct 15 '13 at 09:15
@Andrew We need much more information as to what you are trying to do. I hope you know that we won't help you hack a site, right? — mavrosxristoforos, Oct 15 '13 at 09:17
`'; UPDATE users SET md5password ='newpassword'; SELECT * FROM order WHERE sid = '1` .. theoretically — Jonathon, Oct 15 '13 at 09:18
Indeed, that's why I put "theoretically". It's an example of how I would potentially attempt to perform an injection as the OP asked, even though the security restrictions on `mysql_query()` would stop it happening. — Jonathon, Oct 15 '13 at 11:59

score 2 · Answer 1 · answered Oct 15 '13 at 09:18

2

You can't. The reason is mysql_query() does not support multiple queries and so even with this SQL Injection vulnerability, you can't execute an UPDATE query.

The best you can do with this SQLi is to extract or read data from the database, you can't update or delete it.

answered Oct 15 '13 at 09:18

MrCode

63,975
10
90
112

Can I see the example of extract or reading? – Andrew Nightingale Oct 15 '13 at 09:38
Also, a deliberately malformed query can be entered in order to try to get an error message revealing the table structure. – halfer Oct 15 '13 at 09:39
I know structure of all tables and have source codes, and i need to get or change md5password column from `users` table via using vulnerability in PHP-code. – Andrew Nightingale Oct 15 '13 at 09:53
You can also read and write files. – Gumbo Oct 15 '13 at 16:17

PHP MySQL Injection

1 Answers1