can a mysqli injection affect the php script -


so have finished creating database , use php insert data it, have been trying sql injection attacks , other things see if secure, since no expert hoping check have done secure , correct way go about.

i have this(names/variables have been modified) form , when submit button pressed, function insert() runs

<form action="" method="post">   var1: <input type="text" name="var1"><br>   var2: <input type="text" name="var2"><br>  <input type="submit" value="submit"> </form>  <php? function insert() { $connect = mysqli_connect("localhost","user","user","table"); $var1 = $_post['var1']; $var2 = $_post['var2']; mysqli_query($connect, "insert column_name (var1, var2) values ( '$var1','$var2'); "); } ?> 

and can't seem inject form has var1 , var2 this

$var2 = '): drop table test --and several variants of 

from looking around have found mysqli_query accept 1 query why not working. correct me if wrong.

my other idea affecting php script running, injecting form this

$var2 = "'); "); mysqli_query($connect,"drop table test");// 

question: can type of thing happen? can affect php function through $post method while runs? have looked around , can't find anything. because can't?

any research papers, articles, etc. can have @ if asking obvious appreciated :)

edit: adding prepared statements make secure

sql injections use commands union run multiple queries @ once @ vulnerable place. form vulnerable, because either not using sort of escaping, nor prepared statements. if $var2 contain example hi')? escape brackets , open vulnerability. if $_post['value'] , insert directly in database, opens xss vulnerability.


Comments

Popular posts from this blog

Payment information shows nothing in one page checkout page magento -

tcpdump - How to check if server received packet (acknowledged) -