This is a follow-up to this question: Is PHP's addslashes vulnerable to sql injection attack? (thanks to everyone that replied over there).

Same scenario, but I have this code (in another page):

             $ID = $_GET['id'];
             $sql = "SELECT * FROM blog WHERE id='$ID'";
             $result = mysql_query($sql);

This should be easy enough to exploit, right?

If I remember correctly I CANNOT run a second query inside mysql_query() but I should be able to do some other malicious stuff, right? Would love to be able to insert a user into the admin table or change a password or something, but I assume I wouldn't be able to do anything other than touch the blog table. Is that correct? Any suggestions on how I can play around and tweak something to prove that there are concerns?

It's called UNION and allows you to pull from extra tables by using a second query.

I'm guessing something like 1' UNION ALL SELECT username title, password body FROM users WHERE '1'='1 would work. (pulls from the users table and maps the username and password values to their blog "equivalents").

I don't think anyone would think you're trying to hack someone - this is a legitimate question.

You can't run a second query here, but you could do something malicious. For example if the query were an authentication query like so:

SELECT * FROM `users` WHERE `username` = '$username' AND `password` = '$password';

You could quite easily log in with ' OR 1 = 1 and gain access to the website.

Also, if the query was a DELETE or UPDATE query you could probably manipulate it to run without a WHERE clause.