I want to ensure that my scripts are safe against SQL injection, and i've read techniques, but i'm confused because even without using any security measures, i can't get injection to work in testing.
for example, on one form i ask for a username and do a search for it:
PHP Code:
$query = "SELECT id FROM users WHERE name='" . strtolower($userinfo['name']) . "'";
$result = mysql_query($query);
if (!$result){
//echo debug info
};
so i enter this as a username:
Quote:
|
a'; delete from delme where a='22
|
the query doesn't execute and triggers the debug info, which is as follows:
Quote:
Could not run name check
Magic quotes is disabled
query is:
SELECT id FROM users WHERE name='a'; delete from delme where a='22'
username was:
a'; delete from delme where a='22
you have an error in your sql syntax; check the manual that corresponds to your mysql server version for the right syntax to use near '; delete from delme where a='22'' at line 1
|
if i copy and paste that query, as listed above, mysql will run it and delete the row. so why doesn't this injection work?
i'm trying to understand what's going on and if i need to escape data at all.