Home/ Questions/Q 8593089
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T23:54:28+00:00

I have read various articles suggesting to use Prepared statements in SQL queries, but

  • 0

I have read various articles suggesting to use Prepared statements in SQL queries, but since mysql_ lib does not allow executing 2 queries in one statement is it worth to use them if I need to fire a query only once in the execution of the page and it some cases the mysql_query also seems to ignore invalid post data (like 'ADMIN' OR 1--)

$username = $_POST['username'];
$password = $_POST['password'];

 mysql_query("SELECT * FROM users WHERE username=$username AND password=$password");

//processing

Now, If anyone passes “username” as

'ADMIN' OR 1--

The above query dosent fetch the “Admin” row! Is this a feature of mysql_query that ignores the comment after '1' / Special chars. How would a SQL Injection happen in this case, running MYSQL 5.5 and PHP 5.3

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Perhaps 'ADMIN' OR 1-- doesn’t work, but 'ADMIN' OR 'x' = 'y' certainly would, since it would result in this SQL query:

    SELECT *
  FROM users
 WHERE username = 'ADMIN'                    -- true
    OR 'x' = 'y' AND password = 'whatever'   -- false, but who cares?
;

    The general lesson: coding for security is hard, because we’re not used to thinking in terms of hostile agents actively seeking to disrupt our code. SQL injection is a solved problem, and the solution is parameterized queries, so you should use that rather than trying to roll your own attempted solution.

    • 0