为什么我不能使用mysql和php进行sql注入测试

i was trying to check a web site for an sql injection attack and amazed to see it not very very simple to prevent because below is the simple code .

$sql="select * from user_acount where login_id='".$username."' and password='".$password."' and status='1' ";

i can not do any sql injection to test it. i wrote the following

1st Attempt to check sql injection

Login:  admin'--
Password:'i typed nothing here '

Result Wrong password you cannot login.

2nd:

Login:  admin or 1=1 --' 
Password:''

Result Wrong password you cannot login.

3rd:

Login:  admin' or 1=1 
Password:''

4th: Login: admin or 1=1'-- Password:''

Result Wrong password you cannot login.

Can anyone please explain what is stopping me ? i am not using prepared statements nor i am using any filter class neither i have real_escape_string ?

Two possibilities:

1. There is no login_id with admin, therefore the query looks like:

   select * from user_acount where login_id='admin'
   

2. magic_quotes have been enabled, resulting in queries like:

   select * from user_acount where login_id='admin\'--' and password='' and status='1'
   select * from user_acount where login_id='admin or 1=1 --\'' and password='' and status='1'
   

   The last query will always fail, even if magic quotes was turned off:

   select * from user_acount where login_id='admin or 1=1 --'' and password='' and status='1'
   

   Because -- comments within strings do not work, the query is interpreted like:

   select * from user_acount where login_id='STRING'' and password='' and status='1'
   

   As you can see, this will result in a syntax error after 'STRING'

• Magic Quotes might be turned on (so user input is automatically processed to be better suited for composing database queries).
• Register Globals might be turned off (so you would have to use $_REQUEST['username'] or related instead of $username).
• There might be a bug in your programm, that prevents the input admin'-- from being stored in $username (e. g. form element names do not match variable names).

You are entering a password which includes quotes. This breaks your SQL query, and presumably the code does not distinguish between an error and a legitimate "no such user" result, so you get the wrong password message.

Try leaving the password blank.

You don't actually call the real_escape_string() method, but I think magic_quotes_gpc is set to true.

When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically.

Runtime Configuration - magic_quotes_gpc

Have you tried with:

Login:  admin' or '1=1  
Password: admin' or '1=1

Also check for magic quotes turned on