my website has PHP command:
mysql_query("SELECT * FROM users WHERE id=" . $_GET["id"]) or die(mysql_error());
When I enter URL
Me sale el siguiente error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UPDATE users SET password=abc WHERE id=1' at line 1
But in phpmyamin query executes successfully. What's wrong here? Why it doesn't execute in browser?
preguntado el 09 de enero de 11 a las 00:01
mysql_query() doesn't support multiple queries in a single call (which you are trying to inject):
SELECT * FROM users WHERE id=1; UPDATE users SET password=abc WHERE id=1
Hence the "syntax error".
Now go protect that query.
mysql_query() sends a unique query (multiple queries are not supported) "
If you're INTENDING to allow mysql injection like that, mysql_query won't like it. If you aren't,
mysql_real_escape_string($_GET["id"]); to prevent the 'injection'