I'm trying to do this query in order to test for injection. Where is the error in my query?
<?php
$query= "SELECT * FROM login where email = '1' or '1' = '1' limit 1;/*' and password = '1e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855223'";
$result = mysqli_query($connection,$query) or die(mysqli_error($connection));
?>
The result error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/*' and password = '1e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b785' at line 1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/*' and password = '1e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b785' at line 1
If I do the query inside mysql workbench it works fine, but when placed in mysqli it gives the error.
Thanks for your help and down count. The simple answer is to use # instead of /*.
Bye
MySQL supports /* ... */
style comment syntax, but you need to use the closing part. Since you're trying SQL injection, you don't typically have an opportunity to modify the SQL query except at one point. So you can't also append the */
closing part of the comment to the end of the query as well.
Example: you would need to add the closing comment syntax at the end, shown below, but because you're only using SQL injection on the $email
variable, you can't do that.
WHERE email = '1' or '1' = '1' limit 1;/*' and password = ... */
^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^
MySQL also supports ANSI SQL comment syntax, which is a single --
preceding the rest of the line. All of what follows --
will be ignored, and there's no closing syntax for this type of comment.
WHERE email = '1' or '1' = '1' limit 1;--' and password = ...
^^^^^^^^^^^^^^^^^^^^^^^^^^
You can't enter a where clause ( and password = [...]
) after a limit
clause. limit
needs to be at the end of your query.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.