Home/ Questions/Q 7707335
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T00:20:02+00:00

Why is my sql injection which i am trying to practice on not working.

  • 0

Why is my sql injection which i am trying to practice on not working. 

$sql = "INSERT INTO animals VALUES ('', '{$string}', 'rover')";

I have an input box in where i put the following 

', ''); drop table dropme; --

and that is swapped for the injection code.

However the sql fails. But when I process the following statement in phpmyadmin then it does work. 

INSERT INTO animals VALUES ('','    ', ''); drop table dropme; --   ','rover')";

How can this be? Is my browser automatically escaping it for me

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    None of the PHP/MySQL interfaces allow you to execute more than one statement at once. This type of SQL injection is not possible in PHP.

    When you execute it in phpMyAdmin, it splits your string up into separate queries and executes them one at a time.

    The type of SQL injection that is possible in PHP is stuff like this:

    $dirtyString = "' OR 1 = 1 UNION ALL SELECT * FROM private_table WHERE '1' = '1";

$query = "SELECT * FROM public_table WHERE `col` = '$dirtyString'";
    • 0