Reputation: 19
SQL Injection attack - the use of mysqli_multi_query()
I am learning mysql now and one of the subjects it touches is the security issue when dealing with user input - one concern is the injection attack. I tried to duplicate the attack the book demonstrated like add a query $query = "select * from temp_table; drop table temp_table, which I used mysqli_query($connection,$query). Nothing happen. I changed to use mysqli_multi_query() and found it executed both statements. Finally I found that mysqli_query only runs one query each time.
my question is, if I use mysqli_query, theoretically speaking, the system shouldn't be worried on additional statement injection attack? Or, there is still any other way that the users can run additional statement even the server is using mysqli_query?
Upvotes: 0
Views: 615
Answers (1)
Reputation: 562250
It's true that the basic mysqli_query() will only run one statement. So you don't have to worry that an SQL injection attack will trick your application into running multiple statements.
But one statement can include a subquery, or a SELECT... UNION SELECT....
One statement can read data it isn't intended to read. Or cause a huge sort that is intended to overwhelm your server as a denial-of-service attack.
Or it can simply be an error, not a malicious attack at all.
SELECT * FROM Users WHERE last_name = 'O'Reilly'; -- woops!
The solutions to SQL injection are pretty simple, and easy to follow. I don't understand why so many developers look for excuses not to write safe code.
Upvotes: 3
Related Questions
- SQL injection attack with php
- SQL injection Attack
- PHP multi_query page render fails
- SQL injection won't work without using mysqli_multi_query
- Injection attack by sql query in php
- How to prepare statement with mysqli for select query
- An injection attack that succeeds with mysql_query, but fails with mysqli_query
- Sql Injection Attack Insight
- MySQLi multi_query() curiosity
- executing multi query in mysql_query() function