We Keep Coding

SQL Injection using PHP multi_query to DROP TABLE

I am trying to drop a table within a database using SQL injection through PHP.
The PHP code submits a form to the Database with the following command and multi_query($sql):
$sql = "INSERT INTO Student (StdNumber, FName, LName, DOB, PhoneNumber)
VALUES ('$input1', '$input2', '$input3', '$input4', '$input5')";
So I thought, I can SQL Inject input5. So I use:
');"; $sql .= "DROP TABLE IF EXISTS Student;";-- -
This closes the previous sql statement, then I start another statement with 'sql .=' and then I comment off the rest of it with -- -
However the table isn't dropping. I am not seeing my injection command within input5 (PhoneNumber) in the database, so it is successfully closing the previous statement I would believe.
So I am not sure what is wrong, am I using multi_query incorrectly? or is my injection incorrect?
Thank you
Edit 1:
Additionally, when I submit the form it accepts it and makes another entry into the database.

You are trying to manipulate the sql that is generated by the php, not the php itself.
So you should not add php to your 5th input:
');"; $sql .= "DROP TABLE IF EXISTS Student;";-- -
should be something like:
1234567890'); DROP TABLE IF EXISTS Student; -- the rest here will be comments in sql

How to prevent sql Injection? without modification into an SQL query [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example:
$unsafe_variable = $_POST['user_input'];
mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");
That's because the user can input something like value'); DROP TABLE table;--, and the query becomes:
INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')
What can be done to prevent this from happening?

The absolute minimum you need to do here is escape that variable:
$unsafe_variable = mysql_real_escape_string($_POST['user_input']);
Nothing in your query has to change at that point. This is not necessarily the end of the story, though, as mysql_real_escape_string is not invulnerable and you remain exposed to injection attacks by those using more sophisticated techniques.
The entire mysql_query API has been trashed, it's obsolete and the latest version of PHP no longer supports it. You need to move on to something better, and I'd recommend PDO as a baseline.
The best way to be sure you're doing it right is to use prepared statements with placeholder values. That is your query looks like this:
INSERT INTO table name (column1) VALUES (:column1)
With PDO you can name your placeholders. This makes executing your statement later very easy, you just match up the values:
$stmt->execute(array('column1' => $_POST['user_input'));
So the best way to avoid injection bugs is to avoid injection in the first place. Placeholder values will be substituted correctly, safely, and most important, consistently. All it takes is one mistake where you thought you escaped something but you didn't and people can bust your site wide open.

preventing sql injection in php [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 7 years ago.
If user input is inserting without modification from SQL query, then the application becomes vulnerable to SQL injection, like in the following example:
$unsafe_variable = $_POST['user_input'];
mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");
That's because the user can input something like value '); DROP TABLE table;--, and the query becomes:
INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')
What can be done to prevent this from happening?

There is extensive information through simple Google searches that can guide you in the right direction. To start though:
DON'T USE MYSQL_* FUNCTIONS These are deprecated and will generate warnings. They are not even remotely good practice for modern web development.
USE A DATABASE LIBRARY INSTEAD like PDO or MySQLi. There's plenty of tutorials to get you started and most importantly these libraries take care of SQL injection for you. So use them!

How to insert with a where from another database?

How do I insert using sql when my data is on one table and my where is on another. Here is the code:
$sql = "INSERT INTO user_can (online_id) VALUES ('$online') WHERE user.online = 'online'";
mysql_query($sql);
I seem to be getting errors when trying to insert, the insert does not happen. It looks like I am messing up with my where code. Does anybody know how I can insert my data?

You're mixing parts of one statement type with parts of another. The SQL needs to be something like:
INSERT INTO user_can (online_id) SELECT online_id FROM user WHERE online = 'online';
The INSERT ... VALUES ... format is for providing explicit values in the SQL. Further Information about INSERT syntax.

Don't insert entry if already exist

How to not insert the values if same question_text exist but not for the first_word.
Example (The question_text is the whole sentence and the first word is the first word in the sentence.)
He is crazy. //insert
He is smart. //insert
He is smart. //exist don't insert
$first_word = current(explode(' ', $_POST['question_text']));
mysql_query("INSERT INTO questions (question_id,question_text,field_name)
VALUES ('','$_POST[question_text]','$first_word')");

You could run this SQL once query to prevent double entries with the same content:
ALTER TABLE questions ADD UNIQUE(question_text);

You can't do that with this query. You need to write another query first to check for the existence of the row you don't want to duplicate.
Also, the code is vulnerable to SQL injection attacks. See here for information on how to fix that: Protect against SQL injection

MySQL has the INSERT ON DUPLICATE KEY UPDATE statement, which you could use. But in the example you posted it would probably not be a good way to do it.