I was checking my webpages for SQL Injection, when the main pages didn't responded to it, I created a test script:
<?
$a = $_POST["a"];
$username="...";
$password="...";
$database="...";
mysql_connect ('...',$username,$password);
mysql_select_db($database) or die( "Unable to select database");
$ress=mysql_query("SELECT username FROM userinfo WHERE id='$a'");
$row = mysql_fetch_array($ress);
print $row[0];
?>
<form name="form" action="hackMe.php" method="POST">
<input id="a" name="a" size="150">
<input name="Submit" type="submit" value="Submit">
</form>
But when I try this line:
'; UPDATE userinfo SET email = 'steve@unixwiz.net' WHERE email = 'testusr@gmail.com
I just get an error, and no change in the database.
Any ideas why?
Quote from the manual:
mysql_query() sends a unique query (multiple queries are not supported) to the currently active database on the server that's associated with the specified
Highlighting by me. mysql_query() only allows a single query query per call, the second query behind the ; is ignored.
To test SQL injection you have to use a query that doesn't need a second one to do harm.
Edit:
It IS possible to allow multiple queries, but you have to explicitly state this in the mysql_connect() call.
mysql_connect($host, $username, $password, false, 65536);
// defined by MySQL:
// #define CLIENT_MULTI_STATEMENTS 65536 /* Enable/disable multi-stmt support */