Hi,

I have a question according to nmap. I intstaklled a local Webserver to test sqlmap. I installed a site which is vulnerable to SQL Injection. When i test the injection maually. I get an MySQL Error.

http://localhost/mymarket/shopping/index.php?id=1'
Code:
Can't execute query
SELECT id, name, description FROM categories WHERE parent_id = 1\' AND id > 1
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND id > 1' at line 1

This script cannot continue, terminating.
But when i want to try this with sqlmap i get no results:
Code:
sqlmap.py -u "http://localhost/mymarket/shopping/index.php?id=1'"

    sqlmap/0.8 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net
[*] starting at: 17:07:44

[17:07:44] [INFO] testing connection to the target url
[17:07:45] [INFO] testing if the url is stable, wait a few seconds
[17:07:46] [INFO] url is stable
[17:07:46] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[17:07:46] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[17:07:46] [INFO] testing if Cookie parameter 'mymarket' is dynamic
[17:07:46] [WARNING] Cookie parameter 'mymarket' is not dynamic
[17:07:46] [INFO] testing if GET parameter 'id' is dynamic
[17:07:46] [INFO] confirming that GET parameter 'id' is dynamic
[17:07:46] [WARNING] GET parameter 'id' is not dynamic
[*] shutting down at: 17:07:46
When i try it without the single quote ' i get:
Code:
sqlmap.py -u "http://localhost/mymarket/shopping/index.php?id=1"

    sqlmap/0.8 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net
[*] starting at: 17:09:16

[17:09:16] [INFO] testing connection to the target url
[17:09:16] [INFO] testing if the url is stable, wait a few seconds
[17:09:18] [INFO] url is stable
[17:09:18] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[17:09:18] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[17:09:18] [INFO] testing if Cookie parameter 'mymarket' is dynamic
[17:09:18] [WARNING] Cookie parameter 'mymarket' is not dynamic
[17:09:18] [INFO] testing if GET parameter 'id' is dynamic
[17:09:18] [INFO] confirming that GET parameter 'id' is dynamic
[17:09:18] [INFO] GET parameter 'id' is dynamic
[17:09:18] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis
[17:09:18] [INFO] testing unescaped numeric injection on GET parameter 'id'
[17:09:18] [INFO] GET parameter 'id' is not unescaped numeric injectable
[17:09:18] [INFO] testing single quoted string injection on GET parameter 'id'
[17:09:18] [INFO] GET parameter 'id' is not single quoted string injectable
[17:09:18] [INFO] testing LIKE single quoted string injection on GET parameter 'id'
[17:09:18] [INFO] GET parameter 'id' is not LIKE single quoted string injectable
[17:09:18] [INFO] testing double quoted string injection on GET parameter 'id'
[17:09:18] [INFO] GET parameter 'id' is not double quoted string injectable
[17:09:18] [INFO] testing LIKE double quoted string injection on GET parameter 'id'
[17:09:18] [INFO] GET parameter 'id' is not LIKE double quoted string injectable
[17:09:18] [INFO] GET parameter 'id' is not injectable with 0 parenthesis
[17:09:18] [INFO] testing sql injection on GET parameter 'id' with 1 parenthesis
[17:09:18] [INFO] testing unescaped numeric injection on GET parameter 'id'
[17:09:18] [INFO] GET parameter 'id' is not unescaped numeric injectable
[17:09:18] [INFO] testing single quoted string injection on GET parameter 'id'
[17:09:18] [INFO] GET parameter 'id' is not single quoted string injectable
[17:09:18] [INFO] testing LIKE single quoted string injection on GET parameter 'id'
[17:09:18] [INFO] GET parameter 'id' is not LIKE single quoted string injectable
[17:09:18] [INFO] testing double quoted string injection on GET parameter 'id'
[17:09:18] [INFO] GET parameter 'id' is not double quoted string injectable
[17:09:18] [INFO] testing LIKE double quoted string injection on GET parameter 'id'
[17:09:18] [INFO] GET parameter 'id' is not LIKE double quoted string injectable
[17:09:18] [INFO] GET parameter 'id' is not injectable with 1 parenthesis
[17:09:18] [INFO] testing sql injection on GET parameter 'id' with 2 parenthesis
[17:09:18] [INFO] testing unescaped numeric injection on GET parameter 'id'
[17:09:18] [INFO] GET parameter 'id' is not unescaped numeric injectable
[17:09:18] [INFO] testing single quoted string injection on GET parameter 'id'
[17:09:18] [INFO] GET parameter 'id' is not single quoted string injectable
[17:09:18] [INFO] testing LIKE single quoted string injection on GET parameter 'id'
[17:09:18] [INFO] GET parameter 'id' is not LIKE single quoted string injectable
[17:09:18] [INFO] testing double quoted string injection on GET parameter 'id'
[17:09:18] [INFO] GET parameter 'id' is not double quoted string injectable
[17:09:18] [INFO] testing LIKE double quoted string injection on GET parameter 'id'
[17:09:18] [INFO] GET parameter 'id' is not LIKE double quoted string injectable
[17:09:18] [INFO] GET parameter 'id' is not injectable with 2 parenthesis
[17:09:18] [INFO] testing sql injection on GET parameter 'id' with 3 parenthesis
[17:09:18] [INFO] testing unescaped numeric injection on GET parameter 'id'
[17:09:18] [INFO] GET parameter 'id' is not unescaped numeric injectable
[17:09:18] [INFO] testing single quoted string injection on GET parameter 'id'
[17:09:18] [INFO] GET parameter 'id' is not single quoted string injectable
[17:09:18] [INFO] testing LIKE single quoted string injection on GET parameter 'id'
[17:09:18] [INFO] GET parameter 'id' is not LIKE single quoted string injectable
[17:09:18] [INFO] testing double quoted string injection on GET parameter 'id'
[17:09:18] [INFO] GET parameter 'id' is not double quoted string injectable
[17:09:18] [INFO] testing LIKE double quoted string injection on GET parameter 'id'
[17:09:18] [INFO] GET parameter 'id' is not LIKE double quoted string injectable
[17:09:18] [INFO] GET parameter 'id' is not injectable with 3 parenthesis
[17:09:18] [WARNING] GET parameter 'id' is not injectable
[*] shutting down at: 17:09:18
I tried a lot but nothing works. Do you have any hints?

Thanks a lot!