I have this code:
if(isset($_POST['submit'])) {
$name = $_POST['name'];
$query = mysqli_query($conn, "select name from accounts where name = '{$name}'");
if($query) {
echo "success";
} else {
echo "error";
}
}
?>
<form action="" method="post">
Name: <input type="text" name="name"><br><br>
<input type="submit" name="submit" value="Add">
</form>
And I have written this in the form and submitted, only return (error), and the table was not deleted.
2
Answers
For example, if you will send like such request:
For reason request encoding, you can use + sign instead of spaces.
I am writing an example with PHP simulate
$name
argument:For mysqli, multiple statements or multi queries must be executed with mysqli::multi_query()
So change
to
then retry what you want in
your own machine
.Of course, usually hacker will just gain privilege by logging as "admin" and then do whatever he/she wants (in that case just performing single query in a select statement thru a SQL attack will do and do not need to execute multi-queries)
[additional point]
For single query SQL attack, submit the following:
1}' or 1=1 or '{1=1
which will become:
or
1}' or name='admin' or '{1=1
which will become:
Hence, to avoid SQL attacks, please use parameterized prepared statements.
For details, you may refer to :
php mysqli prepared statements select