edit - this shouldn't be marked as a duplicate. The question isn't how to prevent SQL injection attacks (I'm already using prepared statements elsewhere), it's related to why MySQL is killing a maliciously-injected query.
I'm testing out a web app with a connected MySQL database, specifically looking for potential SQL injection concerns and wondering how to prevent such attacks in this specific case.
One page loads a person's information from the database based on a unique ID number, which is visible through the page's URL. Obviously, this is a concern in its own right - I could simply change the ID from "?id=2" to "?id=3" to load a new record from the database - but the issue I'm more concerned with at the moment is a URL-based attack to execute a "bad" query on top of the intended query.
The intended query looks something like this: ... where person.ID="10" and person.ID = notes.ID and ...
By changing the URL, I'm able to close the parameter that's looking for an ID and execute another, potentially malicious query, like this:
... ?id=10"; drop table person; select * from notes where ID=" ...
which would cause the following queries to be executed:
... select * from person, notes where id="10"; drop table person; select * from notes where ID="" and ...
I've been able to get this malicious set of queries to print (echo) to my webpage, so I know it's a vulnerability. However, when I try to execute this exact query in MySQL, it hangs for several seconds before exiting MySQL completely with the response "Killed" and no further explanation.
My question, then, is what's causing MySQL to kill this malicious query and exit? This seems like a security feature, but I don't know what it'd be - those queries are perfectly fine on their own. I'm also confused by the lack of error message beyond "Killed" if anyone has come across a similar situation.