Sql injections - Drupal 8

by Sugandh Khanna   Last Updated January 12, 2018 12:07 PM

I'm learning security vulnerabilities to Drupal 8, so trying to learn how to inject sql injection in Drupal form.

In drupal form submit, I'm writing a query somewhat:

$query = db_query("INSERT INTO {my-table} (title) VALUES ('".$title."'); TRUNCATE TABLE my-table;");

But the above query is not getting executed. I tried, $query = db_query("INSERT INTO {my-table} (title) VALUES ('".$title."')");

query runs fine, but when I insert below mentioned text in textfield (attempting sql injection), It won't work.

''; DROP TABLE my-table;

This bold text simply gets inserted in my db table, and table is not getting dropped.

Please help injection sql injections.

Tags : 8 database


Related Questions


Drupal store into own database

Updated July 03, 2015 18:03 PM


Connect to Intersystems Cache DB via ODBC

Updated May 01, 2015 21:03 PM


drupal site is really slow on VPS server

Updated April 03, 2015 21:20 PM