can a mysqli injection affect the php script -
so have finished creating database , use php insert data it, have been trying sql injection attacks , other things see if secure, since no expert hoping check have done secure , correct way go about.
i have this(names/variables have been modified) form , when submit button pressed, function insert() runs
<form action="" method="post"> var1: <input type="text" name="var1"><br> var2: <input type="text" name="var2"><br> <input type="submit" value="submit"> </form> <php? function insert() { $connect = mysqli_connect("localhost","user","user","table"); $var1 = $_post['var1']; $var2 = $_post['var2']; mysqli_query($connect, "insert column_name (var1, var2) values ( '$var1','$var2'); "); } ?>
and can't seem inject form has var1 , var2 this
$var2 = '): drop table test --and several variants of
from looking around have found mysqli_query accept 1 query why not working. correct me if wrong.
my other idea affecting php script running, injecting form this
$var2 = "'); "); mysqli_query($connect,"drop table test");//
question: can type of thing happen? can affect php function through $post method while runs? have looked around , can't find anything. because can't?
any research papers, articles, etc. can have @ if asking obvious appreciated :)
edit: adding prepared statements make secure
sql injections use commands union run multiple queries @ once @ vulnerable place. form vulnerable, because either not using sort of escaping, nor prepared statements. if $var2
contain example hi')
? escape brackets , open vulnerability. if $_post['value']
, insert directly in database, opens xss vulnerability.
Comments
Post a Comment