How would someone use sql injection on this query

Question

So I have this query in php

SELECT a.sifra,a.slika,a.slika2,a.imeProizvoda,a.opis,b.cijena,b.cijena2
FROM proizvodi a
inner join stanje b
on a.sifra = b.sifra
WHERE a.imeProizvoda LIKE '%$search%'

I tried making sql injection with DROP TABLE proizvodi in every way i found on internet but couldn't make it work

How would someone make that query in search so my database proizvodi is deleted

Answer 1

To avoid SQL injection in PHP, you should absolutely use prepared statements, which make it pretty much impossible to do any SQL injection. For an answer to your question, we can try the following:

$search = "'; DROP TABLE proizvodi; SELECT * FROM dual WHERE '1' LIKE '";

This would result in the following being executed:

SELECT a.sifra, a.slika, a.slika2, a.imeProizvoda, a.opis, b.cijena, b.cijena2
FROM proizvodi a
INNER JOIN stanje b
    ON a.sifra = b.sifra
WHERE a.imeProizvoda LIKE '%';
DROP TABLE proizvodi;
SELECT * FROM dual WHERE '1' LIKE '%'

The basic idea is to trip up PHP/MySQL by ending the original valid statement, and then injecting some other (malicious) statement afterwards. Note that DROP and DELETE are not the only damaging things which could happen. For example, doing a SELECT * on a customer table containing credit card numbers could be the most damaging thing to happen.

Disclaimer: I don't live in my parents' basement and spend all my time injecting websites. But, I knew enough to guess at an answer to your question.