I suppose you have a form with an input field like this:
<input type="text" name="ITEM" id="ITEM">
From which you set the $ITEM variable, so try to send something different from the expected value, you expect an integer. Send this instead:
1 OR 1=1
It will probably return all the rows in the item table. This is an SQL injection and it means the input submitted to the query function is not sanitized nor validated, so an attacker can try to run other queries and get some extra information or execute remote code.
This is the reason you should use prepared statements, for example:
$stmt = $mysqli->prepare("SELECT * FROM item WHERE id = ?");
$results = $stmt->get_result();
# looping results
while($row = $results->fetch_assoc())
For more examples check this code snippet by pritaeas:
I think your table name is incorrect. You are using "item" for the table name and "ITEM" for the column name. MySQL doesn't care if a column name is upper, lower, or mixed case, so you have the same name for your table and column. Are you sure the table name isn't "items" plural? If not, then you probably need to rename the table.
that's why I was writing about prepared statements, the quote is not supposed to be submitted to the query, unless is escaped correctly, and that's why the security test was generating the syntax error, they supposed you where using quotes in your query:
"SELECT * FROM items WHERE ITEM = '$ITEM'"
So they tried to escape them by submitting the number with a quote:
To get a query like this:
"SELECT * FROM items WHERE ITEM = '71''"
Which seems to not make sense but if you add other instructions right after the quote, you could execute whatever you want:
71' OR '1'='1
for example. At the end the query will look like this:
"SELECT * FROM items WHERE ITEM = '71' OR '1'='1'"
To solve with MySQLi you can use prepared statements or you can escape the input with mysqli_real_escape_string():
$id = mysqli_real_escape_string($con, $id);
$item_query = mysqli_query($con ,"SELECT * FROM product WHERE item_id = $id ");
i think prepare statement is for pdo and it canalso be use in php, but i am new in php and i dont know how to use prepare statement , i saw a lot of -> this syntax.. but i dont know why are they and what for..
i would like to learn pdo what i think it is difficult than php...
sorry for bad english ..