I have the following code in a client supplied block: $user = $_POST[‘user’]; $sql

Question

0

Asked: June 6, 20262026-06-06T12:13:19+00:00 2026-06-06T12:13:19+00:00

I have the following code in a client supplied block: $user = $_POST[‘user’]; $sql

0

I have the following code in a client supplied block:

$user = $_POST['user'];

$sql = "SELECT * FROM users WHERE user = '" . $user . "'";

$dbh->query($sql);

Also, this code doesn’t echo anything out to the screen currently, so it doesn’t help me if I select multiple users. That doesn’t visually show the client anything.

It’s obvious to me that this is prone to injection, but I can’t find a way to show the client how this would work. I tried dropping the table, but the ->query() seems to only allow one statement at a time.

Here’s what I’ve tried so far
' OR 1=1; DROP TABLE users; SELECT * FROM users WHERE 1='1 but that doesn’t work.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-06T12:13:21+00:00

You didn’t really do enough to vet your database query. The method (without echos) in your script, is called blind injection and it it still very possible to achieve takeover or inject.

Try using an automatic SQL injection tool, such as SqlMap. You’ll be surprised at the results, with your query. You can also try some examples from unixwiz against your query. While those are pretty specific to his target, the over all theory and proof behind it is sound.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have the following code in a client supplied block: $user = $_POST[‘user’]; $sql

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply