I am new to SQL injections, and people on Reddit asked me do the portswigger labs. Which I did up till before 2nd order ones. So I am pretty comfortable with usual SQL injections.
Now I have myself made a PHP website using mysqli extensions instead of mysql. So for example, a basic Query execution looks like:
//mysqli// $ result = mysqli_query($ conn, $ qry); instead of $ result = mysql_query($ qry);
So I asked others and found out that without proper sanitization or separate query builders, mysqli extension is as vulnerable as mysql extension. So, the app I made is too basic. It’s just querying the DB and spitting out results. It’s that simple. No sanitization is done.
But executing basic payloads like ‘+or+1=1–+ or anything basic, gives me the error:
mysqli_error() expects exactly 1 parameter, 0 given
So I tried a lot and can’t get past this error for anything I try. I simply can’t execute injections with mysqli extension. Any help is highly appreciated.