Since statements require a semicolon (
No, take this as an example
SELECT * FROM users WHERE password = '$pw'
' or ''=', the statement becomes the following:
SELECT * FROM users WHERE password = '' or ''=''
Hence you select the first user in the DB, and you've gained access.
Equally in PHP, the
mysql_ family of functions only allow you to issue a single request, even if you have multiple separated by a semicolon. In any case, most SQL injection attacks don't use the semicolon anyway.