0

There is a table name queries in my dummy database which has name, email, phone, message, and region. And there is a contact form in the UI which directly inserts the data into the queries table without validating or sanitizing anything. So I was performing some SQL injection on the form by adding a','b','c','d','e'); DELETE FROM users; -- to one of the fields but it is not successful and getting the below error:-

Error:-

Error: INSERT INTO queries (name,email,phone,message,region) VALUES('a','b','c','d','e'); DELETE FROM users; --','sdas','1234567890','fsfdsf','home')
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'DELETE FROM users; --','sdas','1234567890','fsfdsf','home')' at line 1

UI - Contact form enter image description here

The SQL query in the error message seems okay to me and I couldn't understand why it is giving the syntax error. Maybe because the query is followed by a comment?

Could someone please have a look and help me if I am missing anything?

Thank you.

Improve this question
6
  • Use parameters and then you won't have injection problems. You don't need to sanitize or validate anything, just separate code and data. Commented Jul 2, 2023 at 10:53
  • @Charlieface, i am doing it intensionally to understand how it can be exploited (just for learning purposes). Commented Jul 2, 2023 at 12:17
  • SQL is not the problem. Show us the application code that is executing the SQL. Commented Jul 2, 2023 at 17:14
  • @RickJames, the application code is written in PHP and it is a simple insert with $conn->query($sql). Please let me know if you need more details. Commented Jul 3, 2023 at 1:59
  • @ArpitJain - Do you escape parameters typed in by users? Or using "binding" to avoid "SQL Injection"? Commented Jul 3, 2023 at 2:50

1 Answer 1

Reset to default
1

Do not try to run two commands in the same PHP $conn->query(). That permits only one SQL statement at a time.

Improve this answer
1
  • +1 Is there any other way you think the insert statement can be exploited with a single SQL statement? Commented Jul 3, 2023 at 3:43

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.