create table scientist (id integer, firstname varchar(100), lastname varchar(100), password varchar(8));
insert into scientist (id, firstname, lastname, password) values (1, 'albert', 'einstein', 'emc2');
insert into scientist (id, firstname, lastname, password) values (2, 'isaac', 'newton', 'force');
insert into scientist (id, firstname, lastname, password) values (3, 'marie', 'curie', 'glowin');
SELECT * FROM scientist;
<?php
mysqli_report(MYSQLI_REPORT_ALL);
$username = "albert';DROP";
$password = '1234';
$query = "SELECT * FROM scientist WHERE firstname = '" . $username . "' AND password = '" . $password . "'";
// Run query using mysqli
try {
$result = $mysqli->multi_query($query);
}
catch (Exception $e) {
printf('DEBUG Message: You got an SQL ERROR:');
echo "$e->getMessage()";
printf('Query was: %s ' . PHP_EOL, $query);
}
printf('Result is:' . PHP_EOL);
do {
$result = $mysqli->store_result();
#var_dump( $result );
if ($result->num_rows === 0) {
printf('wrong user or password');
}
else {
while (list($id, $firstname, $lastname, $password) = mysqli_fetch_array($result)) {
echo "$firstname - $lastname - $password"."\r\n";
}
}
} while ($mysqli->next_result());
#if (mysqli_num_rows($result) === 0) {
# printf('<nothing>' . PHP_EOL);
#}
#else {
# while (list($id, $firstname, $lastname, $password) = mysqli_fetch_array($result)) {
# echo "$firstname - $lastname - $password"."\r\n";
# }
#}
?>