How to perform SQL Injection in the context of Insert query or Select query? Any help would be appreciated.
Asked
Active
Viewed 199 times
0
-
2Why do you want to allow SQL injections? – chris85 Sep 26 '17 at 11:55
-
Well combine this, http://php.net/manual/en/mysqli.multi-query.php, with the answer below and you will be able to execute that query. You also can say good bye to your DB with this. – chris85 Sep 26 '17 at 16:40
1 Answers
4
First of all, don't use mysql_, use mysqli_.
Second, that's because you can't put two queries inside the mysql_query(). Otherwise they would have named it mysql_queries()
Just make two seperate queries. Here's the docs.
Here is a basic example from the manual on its usage:
<?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");
/* check connection */
if ($mysqli->connect_errno) {
printf("Connect failed: %s\n", $mysqli->connect_error);
exit();
}
/* Create table doesn't return a resultset */
if ($mysqli->query("CREATE TEMPORARY TABLE myCity LIKE City") === TRUE) {
printf("Table myCity successfully created.\n");
}
/* Select queries return a resultset */
if ($result = $mysqli->query("SELECT Name FROM City LIMIT 10")) {
printf("Select returned %d rows.\n", $result->num_rows);
/* free result set */
$result->close();
}
/* If we have to retrieve large amount of data we use MYSQLI_USE_RESULT */
if ($result = $mysqli->query("SELECT * FROM City", MYSQLI_USE_RESULT)) {
/* Note, that we can't execute any functions which interact with the
server until result set was closed. All calls will return an
'out of sync' error */
if (!$mysqli->query("SET @a:='this will not work'")) {
printf("Error: %s\n", $mysqli->error);
}
$result->close();
}
$mysqli->close();
Funk Forty Niner
- 74,450
- 15
- 68
- 141
Lars Peterson
- 1,508
- 1
- 10
- 27
-
2I edited the answer in order to use an English reference http://php.net/manual/en/mysqli.query.php – Funk Forty Niner Sep 26 '17 at 12:27