I set up a common login vulnerable to sql injection for educational purpose. I'm trying to inject but it seems to not be working.
When I use mysql directly from the command line I can see it works:
mysql > select * from users where user = ''; drop table users;-- and pass = '';
I get query ok 0 rows afected
mysql > show tables;
Empty set
but when I try to input into my username field, it seems ' is being replaced with \' as if php is escapeing it.
'; drop table users;--
I discoverd this by constructing a $query variable and then passing that to mysql_db_query followed by echo $query;
has the new release of php done something or what might I be doing wrong?
query when echoed:
select * from users where user = '\'; drop table users;-- and pass = '';
any guidence is apreciated.
