SQL Injection using PHP multi_query to DROP TABLE

Question

I am trying to drop a table within a database using SQL injection through PHP.

The PHP code submits a form to the Database with the following command and multi_query($sql):

$sql = "INSERT INTO Student (StdNumber, FName, LName, DOB, PhoneNumber) 
VALUES ('$input1', '$input2', '$input3', '$input4', '$input5')";

So I thought, I can SQL Inject input5. So I use:

');"; $sql .= "DROP TABLE IF EXISTS Student;";-- -

This closes the previous sql statement, then I start another statement with 'sql .=' and then I comment off the rest of it with -- -

However the table isn't dropping. I am not seeing my injection command within input5 (PhoneNumber) in the database, so it is successfully closing the previous statement I would believe.

So I am not sure what is wrong, am I using multi_query incorrectly? or is my injection incorrect?

Thank you

Edit 1: Additionally, when I submit the form it accepts it and makes another entry into the database.

Answer 1

You are trying to manipulate the sql that is generated by the php, not the php itself.

So you should not add php to your 5th input:

');"; $sql .= "DROP TABLE IF EXISTS Student;";-- -

should be something like:

1234567890'); DROP TABLE IF EXISTS Student; -- the rest here will be comments in sql