¿Por qué mi consulta no funciona?

my website has PHP command:

mysql_query("SELECT * FROM users WHERE id=" . $_GET["id"]) or die(mysql_error());

When I enter URL

http://example.com/index.php?id=1;%20UPDATE%20users%20SET%20password=123%20WHERE%20id=1

Me sale el siguiente error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UPDATE users SET password=abc WHERE id=1' at line 1

But in phpmyamin query executes successfully. What's wrong here? Why it doesn't execute in browser?

preguntado el 09 de enero de 11 a las 00:01

Uhm, are you trying to SQL inject your own query? This is insanely un-secure. -

@yc: Probably just as an experiment or for kicks -

I wrote this website with two more developers, and one of them made this mistake. I want to write him a letter with example of injection attacker can forge and want this example be more than just '1 AND 1=0 UNION SELECT...'. He's a newbie and it'll be good to demonstrate him how serious this flaw is. -

Erm. I couldn't help but laugh, but I agree roughly with BoltClock -

I cancelled one downvote. For me demonstration is always a good thing with security. Union select can be quite demonstrative, do it with the mysql database, list the columns of a specific table in your database, I usually do it to explain why the attacker can guess your tables and columns and build intelligent extraction queries. If your site as bad output filtering you can use UNIONS SELECT injection to inject html or js code on the result page as well. -

2 Respuestas

mysql_query() doesn't support multiple queries in a single call (which you are trying to inject):

SELECT * FROM users WHERE id=1;
UPDATE users SET password=abc WHERE id=1

Hence the "syntax error".

Now go protect that query.

Respondido el 09 de enero de 11 a las 03:01

"mysql_query() sends a unique query (multiple queries are not supported) "

If you're INTENDING to allow mysql injection like that, mysql_query won't like it. If you aren't, mysql_real_escape_string($_GET["id"]); to prevent the 'injection'

Respondido el 09 de enero de 11 a las 03:01

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.