I could be wrong, but I'm fairly certain that your main problem is that you are attempting to do mysql injection wrong. As a general rule of thumb, if a payload can trigger an SQL syntax error then your attempts at preventing SQL Injection are not really working. For instance, if you were using prepared queries, there is no way for the payload to result in an SQL syntax error at all.
In this particular case the problem is that you are using the wrong kind of comment to hide the rest of the command. In this case you would probably have more luck (making SQL Injection happen) if you used a double dash (--
) or pound sign (#
) which both start single-line comments in MariaDB. The comment character you are using (/*
) is a multi-line comment character that has no closing comment character. This appears to be the source of the SQL error. While I'm not personally familiar with sqlmap, my suspicion is that it may not think there is an injection vulnerability, not because you are safe, but simply because your injection payload is generating an SQL error, and therefore no injection is happening. Try again with the proper comment character.
To reiterate, the fact that you getting an SQL error makes me think that you are vulnerable to SQL injection, you just aren't doing the SQL injection properly.
Edit
I think your next step is to ignore sqlmap for a bit. The attack you are doing ' OR 1=1
would select all records. Your URL implies that this is a view
kind of page, which shows only one record at a time. As a result, there are many cases where such an SQL injection payload may not actually have any results on the page in question. This is the part that can make it tricky: SQL injection is only "successful" if you can actually do something with the attack and impact the application in a meaningful way. So for instance if your payload causes it to load all records in the SQL command, but the page in question implicitly shows only the first result (because it is a view
-type page), then you won't realize that your injection has been successful.
The short of it is that your given SQL injection payload is context-specific, and may not work in all places on a given website even if the page is vulnerable to SQL injection. That makes SQL injection extra tricky. Some sql injection tools can automate some of that trickiness, but I don't know if sqlmap
is such a tool.
So ditch sqlmap
for a moment. Try a different kind of payload. Instead of selecting ' OR 1=1
try doing ' AND 1=0
. This should (theoretically) result in zero records. So if you get a 404 (or nor results in general), I would consider that evidence that the page is vulnerable to SQL injection.
Of course, if you're feeling mean you could just try variants on '; DROP TABLE users--
until something breaks :) That would be mean though.