*************

SQL code: Upload dump Copy Format Clear

create table scientist (id integer, firstname varchar(100), lastname varchar(100), password varchar(8)); insert into scientist (id, firstname, lastname, password) values (1, 'albert', 'einstein', 'emc2'); insert into scientist (id, firstname, lastname, password) values (2, 'isaac', 'newton', 'force'); insert into scientist (id, firstname, lastname, password) values (3, 'marie', 'curie', 'glowin'); SELECT * FROM scientist;

SQL Server: Preserve result

Result: Copy Clear

PHP code: Copy Format Clear

<?php $username = "albert';DROP"; $password = '1234'; $query = "SELECT * FROM scientist WHERE firstname = '" . $username . "' AND password = '" . $password . "'"; // Run query using mysqli try { $result = $mysqli->multi_query($query); } catch (Exception $e) { printf('DEBUG Message: You got an SQL ERROR:'); echo "$e->getMessage()"; printf('Query was: %s ' . PHP_EOL, $query); } printf('Result is:' . PHP_EOL); do { $result = $mysqli->store_result(); #var_dump( $result ); if ($result->num_rows === 0) { printf('wrong user or password'); } else { while (list($id, $firstname, $lastname, $password) = mysqli_fetch_array($result)) { echo "$firstname - $lastname - $password"."\r\n"; } } } while ($mysqli->next_result()); #if (mysqli_num_rows($result) === 0) { # printf('<nothing>' . PHP_EOL); #} #else { # while (list($id, $firstname, $lastname, $password) = mysqli_fetch_array($result)) { # echo "$firstname - $lastname - $password"."\r\n"; # } #} ?>

PHP version:

Show: Warnings Notice

Result: Copy Clear

PHPize Online / SQLize Online / SQLtest Online