sql injection not working

Question

Why is my sql injection which i am trying to practice on not working.

$sql = "INSERT INTO animals VALUES ('', '{$string}', 'rover')";

I have an input box in where i put the following

', ''); drop table dropme; --

and that is swapped for the injection code.

However the sql fails. But when I process the following statement in phpmyadmin then it does work.

INSERT INTO animals VALUES ('','    ', ''); drop table dropme; --   ','rover')";

How can this be? Is my browser automatically escaping it for me

Simply echo the query you are going to execute. and check out what it is. — PeeHaa, Mar 28 '12 at 13:57
won't this work like that : $sql = "INSERT INTO animals VALUES ('', '$string', 'rover')"; ? — Deblaton Jean-Philippe, Mar 28 '12 at 14:00
Post more code. I would also remove {} and echo out what $string is. — Haru, Mar 28 '12 at 14:00
The default PHP settings don't allow multiple statements. There are ways around it though, like using UNION if it's a select statement. — Cfreak, Mar 28 '12 at 14:01

score 8 · Accepted Answer · answered Mar 28 '12 at 13:58

8

None of the PHP/MySQL interfaces allow you to execute more than one statement at once. This type of SQL injection is not possible in PHP.

When you execute it in phpMyAdmin, it splits your string up into separate queries and executes them one at a time.

The type of SQL injection that is possible in PHP is stuff like this:

$dirtyString = "' OR 1 = 1 UNION ALL SELECT * FROM private_table WHERE '1' = '1";

$query = "SELECT * FROM public_table WHERE `col` = '$dirtyString'";

answered Mar 28 '12 at 13:58

DaveRandom

87,921
11
154
174

1

Although technically isn't there an option in PDO to *allow* you to execute multiple queries in one go? – liquorvicar Mar 28 '12 at 14:14
1

@liquorvicar I'm not a PHP guy, [but I believe so...](http://dev.mysql.com/doc/refman/5.0/en/c-api-multiple-queries.html) – Michael Fredrickson Apr 02 '12 at 21:24

score 1 · Answer 2 · answered Mar 28 '12 at 13:59

1

You cannot do this from PHP as it does not allow to execute more than one statement at once. The mysql_query() manual page states:

The query string should not end with a semicolon.

answered Mar 28 '12 at 13:59

Treffynnon

21,365
6
65
98

score 0 · Answer 3 · answered Mar 28 '12 at 13:59

0

Some versions of PHP automatically escape everything for you with magic quotes.

http://php.net/manual/en/security.magicquotes.what.php

answered Mar 28 '12 at 13:59

Farzher

13,934
21
69
100

sql injection not working

3 Answers3

Some versions of PHP automatically escape everything for you with magic quotes.