Realize DROP TABLE with SQL injection

Question

I have created this code for testing of SQL injection.

<?php
mysql_connect('localhost', 'root', '');
mysql_select_db("test");
$id = $_POST['data'];
$query = "SELECT * FROM members WHERE memberId ='" . $id . "'";
$q = mysql_query($query);
if (mysql_num_rows($q) == 0) 
{
      printf("<h4>Wrong user ID!</h4>");
}
else
{
  while ($row = mysql_fetch_array($q))
  {
  printf("<h4>Your ID is %s</h4>", $row["memberId"]);
  }
}
?>

When variable $id is 1' OR '1'='1, I can see all IDs in the table members. I would like also realize DROP TABLE, but I can't figure out what to insert in variable id $id. I have tried to insert 123'; DROP TABLE sql injection-- in $id.

Do you have any idea what to insert in $id or how to modify this code?

score 0 · Accepted Answer · edited May 23 '17 at 11:58

0

In the console it would be: '; drop table members; select '

However you are using mysql_query and it supports only a single statement.

Here is what the manual says:

mysql_query() sends a unique query (multiple queries are not supported) to the currently active database on the server that's associated with the specified link_identifier.

Also check this question. As suggested there you can try using multi_query in your example.

edited May 23 '17 at 11:58

Community

1
1

answered May 09 '15 at 17:27

Daniel Sperry

4,381
4
31
41

When i insert this value in $id, drop table is not working. This is just for demonstration on localhost (i use WAMP server, MySQL 5.6.17). – metjuf May 09 '15 at 17:38
humm... let me try something else. – Daniel Sperry May 09 '15 at 17:40
`mysql_query` must be filtering out the multiple statements, which is a good thing :) – Daniel Sperry May 09 '15 at 17:48
Thanks, i will try multi_query. – metjuf May 09 '15 at 18:18

Realize DROP TABLE with SQL injection

1 Answers1