SELECT email, passwd, login_id, full_name FROM members WHERE email = '$email';
x'; UPDATE members SET email = 'steve@unixwiz.net' WHERE email = 'bob@example.com
SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; UPDATE members SET email = 'steve@unixwiz.net' WHERE email = 'bob@example.com';
####
my $sth = $dbh->do ("select * from users; drop database screwme;" );
####
my $sth = $dbh->prepare ("select * from users; drop database screwme;" );
$sth->execute();
####
DBD::mysql::db do failed: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '; drop database screwme' at line 1...
####
# ...load the DBI and connect to your database first
my $input = "3"; # we´ll type our hacks right here inside, to save the work of doing a form. Makes no difference to what we´re testing.
my $sth = $dbh->prepare ("select username, password from users where sid='$input';" );
my $affected = $sth->execute();
print $affected;
while ( my @row = $sth->fetchrow_array() ) { print join("-",@row) , "
"; } # instead of the form, we´re lazy, aren´t we? That´s good!
####
5' or 1='1
####
select username, password from users where sid=' 5' or 1='1 ';
####
5' or 1=1 LIMIT 1,'1
####
5' or 1=1 HAVING username<'c
####
my $sth = $dbh->prepare ("select username, password from users where sid='$input';" );
####
sid= ' $input '
####
my $sth = $dbh->prepare ("select username, password from users where sid='?';" );
my $affected = $sth->execute ( $input );
####
$input =~ /'/\\'/g;