Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4

Thread: SQL injection

  1. #1
    New Coder
    Join Date
    Sep 2002
    Posts
    64
    Thanks
    3
    Thanked 1 Time in 1 Post

    SQL injection

    I want to ensure that my scripts are safe against SQL injection, and i've read techniques, but i'm confused because even without using any security measures, i can't get injection to work in testing.

    for example, on one form i ask for a username and do a search for it:


    PHP Code:
    $query "SELECT id FROM users WHERE name='" strtolower($userinfo['name']) . "'"
    $result mysql_query($query); 
    if (!
    $result){ 
    //echo debug info 
    }; 
    so i enter this as a username:

    a'; delete from delme where a='22
    the query doesn't execute and triggers the debug info, which is as follows:


    Could not run name check
    Magic quotes is disabled

    query is:
    SELECT id FROM users WHERE name='a'; delete from delme where a='22'

    username was:
    a'; delete from delme where a='22

    you have an error in your sql syntax; check the manual that corresponds to your mysql server version for the right syntax to use near '; delete from delme where a='22'' at line 1

    if i copy and paste that query, as listed above, mysql will run it and delete the row. so why doesn't this injection work?
    i'm trying to understand what's going on and if i need to escape data at all.

  • #2
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    PHP Code:
    $query "SELECT id FROM users WHERE name='" mysql_real_escape_string(strtolower($userinfo['name'])) . "'"
    $result mysql_query($query) or die(mysql_error()); 
    Try that.
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #3
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,132
    Thanks
    2
    Thanked 328 Times in 320 Posts
    The php mysql client does not permit multiple queries separated with a semi-colon ; However, mysql itself does. So, the specific example you are trying will delete the information, but attempting to run it through php won't.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #4
    New Coder
    Join Date
    Sep 2002
    Posts
    64
    Thanks
    3
    Thanked 1 Time in 1 Post
    ok, thanks guys. that explains it.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •