Thread Options MariaDB Sql Injection syntax to use near

Asked Mar 31 '17 at 18:32

Active Mar 31 '17 at 18:32

Viewed 514 times

I have tried sql injection my script. I have a problem in ezSQL.

Original query

$dbo->get_var("SELECT COUNT(*) FROM table WHERE id = '1'");

Injected Query

$dbo->get_var("SELECT COUNT(*) FROM table WHERE id = '1'; SELECT * FROM table -- -'");

Error

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'SELECT * FROM table -- -' at line 1

But,

This Sql Query works phpmyadmin SQL Command successfully. I dont understand this. Why sql code doesnt work in ezsql query? Please help me.

asked Mar 31 '17 at 18:32

Mehmet Ekici

3

ezsql has an escape method, but frankly, if it doesn't have an easy way to parameterize queries, then don't use it. Use PDO or mysqli instead. – aynber Mar 31 '17 at 18:35
Probably it doesn't let you send more than one query at a time. Most PHP API's wont. – miken32 Mar 31 '17 at 18:42
So in this case, sql injection not able ? – Mehmet Ekici Mar 31 '17 at 18:50
Sure it is. Just not like this. – Michael - sqlbot Apr 01 '17 at 04:45
So, does it have any way to sql injection? – Mehmet Ekici Apr 01 '17 at 09:43

Thread Options MariaDB Sql Injection syntax to use near

0 Answers0