SQL injection attack with php

You need to make sure to comment out the rest of the query, so the quotes don't trip you up and so any extra clauses are ignored.

Try setting the ID to:

0 OR id=id -- 

The --  (that's hyphen, hyphen, space: the space is important) is a comment in MySQL.

You being in school, I don't want to just give you the answer. :P

Given the fact that the query isn't parametrized...

Pay attention to the placement of the the apostrophes.

Keep in mind the query:

Select fieldFROM tableWHERE field = '<-- Note these -->'

You are on the right track though!

LESSON

Always, always, always use parametrized queries if you can. Also PDO is a nice way to access DBs in PHP.

EXAMPLE

anything' OR 'x'='x <-- Something like this (again with the apostrophes)

Exploiting SQL injections is the art of providing values that, when incorporated into an SQL statement, result in a valid SQL statement syntax while changing the semantics intended by the developer to some that are profitable for an attacker.

Now if we look at your attempt with id being 100 OR id=id; and password something, the resulting SQL looks like this:

SELECT * FROM accounts WHERE id = 100 OR id=id; AND password = 'something'

Now you there are two problems with this:

1. mysql_query does only support the execution of one statement and throws an error if there is more that one statement.
2. Even if multiple statements were supported, the return value would be the result of the second statement, which, obviously, is invalid.

So to fix this, the easiest way is to inject a comment, its syntax is # or --  (note the trailing space) for comments until the line end. So you could use one of the following for id:

100 OR id=id #100 OR id=id -- 

Or you inject an independent OR clause without any comments like this:

100 OR id=id OR id

This would result in:

SELECT * FROM accounts WHERE id = 100 OR id=id OR id AND password = 'something'

Here the id=id is true for each row.