Mysqli query Injection , how to inject the SQL query string?

Question

Let\'s consider i have this line of code

$result = $mysqli->query(\"SELECT  * from myTable where field=\'\".$_GET[\'var\'].\"\');

IMHO this

Answer 1

1st problem But actually it seems that mysqli->query will not execute 2 statements at once. Isn't it?

That's right, if you want to execute multiple statements you need to use mysqli->multi_query. You can find a good explanation about multiple statements here: http://www.php.net/manual/en/mysqli.quickstart.multiple-statement.php

But this problem arise and I'm missing the trick to get rid of it

The problem arises because you are using multiple statements, and mysqli->query does not support them.

About your queries:

$result = $mysqli->query("SELECT  * from myTable where field='".$_GET['var']."');

You can inject this using for example 1' OR 1=1; that would return all entries of myTable on the query result.

"SELECT * from myTable where field='".$_GET['var']."' AND field2 IS NOT NULL"

Here you could use 1' OR 1=1 UNION ALL SELECT * FROM myTable WHERE '1'='1

Nowadays there are tools that can automatically check SQL injection for you, take a look at SQL Inject Me (Firefox Addon) for example.