SQL Error

Questions about programming languages and debugging
Post Reply
User avatar
ayu
Staff
Staff
Posts: 8109
Joined: 27 Aug 2005, 16:00
18
Contact:

SQL Error

Post by ayu »

Ok so, I wrote everything down really nice before in a post, but the filter didn't like it so it removed everything ... ain't that a bitch?!

So, fuck it ... I'll give you a quick summary of my problem -.-

I'm playing with an SQL injection on my server

this is the URL with the injection

Code: Select all

http://127.0.0.1/phpnews_1-3-0/news.php?catid=1&prevnext=1,8; SELECT * FROM phpnews_posters; --
This is what it ends up like

Code: Select all

SELECT n.id,n.posterid,n.postername,n.time,n.subject,n.titletext,n.maintext,n.catid,n.views,p.username,p.email,p.avatar,c.catname,c.caticon FROM phpnews_news AS n LEFT JOIN phpnews_posters AS p ON(n.posterid=p.id) LEFT JOIN phpnews_categories AS c ON(n.catid=c.id) WHERE n.trusted = 1 ORDER by n.id DESC LIMIT 1,8; SELECT * FROM phpnews_posters; -- , 8


You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SELECT * FROM phpnews_posters; -- , 8' at line 1

If I use the SQL from above in the mysql command prompt, it works just fine. What am I doing wrong here?
"The best place to hide a tree, is in a forest"

User avatar
leetnigga
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 447
Joined: 28 Jul 2009, 16:00
14

Post by leetnigga »

http://php.net/manual/en/function.mysql-query.php

Code: Select all

mysql_query() sends a unique query (multiple queries are not supported)

Code: Select all

The query string should not end with a semicolon.

User avatar
ayu
Staff
Staff
Posts: 8109
Joined: 27 Aug 2005, 16:00
18
Contact:

Post by ayu »

Thanks, didn't think about that ](*,)
"The best place to hide a tree, is in a forest"

Post Reply