How can this kind of SQL injection work even though there is not security consideration at all?

Question

bob'); drop table students; --

In PHP,this will fail:

mysql("statement1;statement2;");

There can be only one statement,so I really doubt how can the above injection actually work at all?

Answer 1

Not sure if this will work, but try using // as your separator instead of ;, e.g.,

bob')// drop table students// --

There is info on submitting multiple statements using the multi_query statement from PHP here.

Answer 2

Well it doesn't work in MySQL, but there's other things that can be done with SQL injection.

Consider this:

$sql = "SELECT * FROM users WHERE username = '$username' AND passwd = '$password'";

// run the query, check if the user exists, let them in, etc

If you write this into the username field:

admin' -- 

it becomes:

SELECT * FROM users WHERE username = 'admin' -- AND passwd = 'whatever'

There's also the possibility of Denial-of-service attacks, where they structure the input so that the query takes a very long time to complete, hogging all the resources on your server.

//input:

admin' AND id IN (SELECT u1.id FROM users u1, users u2, users u3, users u4)

If you had 1000 users in your system, that subquery would be trying to return 1,000,000,000,000 records.

Answer 3

That kind of injection will work if the code is using the mysqli library as it does allow for multiple queries to be run at once.

Answer 4

It's just a cartoon!

You're right, multi-query does not work by default, and it's not supported at all by the plain mysql extension in PHP.

More subtle SQL injection exploits exist, but then the comic wouldn't be as funny, would it?