Output query

[Voodoo Jai]

I have tried this piece of code in a form field

ryhill' AND 1=(SELECT COUNT(*) FROM users); --

 

and all I get is the following output when I echo the var in the next page using the post variable

 

RYHILL\' AND 1=(SELECT COUNT(*) FROM USERS); --

 

does this mean that my page is a bit secure from an SQL attack or does this show its vulnerable.

I see it has escaped the single quote so is all ok with my security.

[PFMaBiSmAd]

Form data that is "magically" escaped by php is due to magic_quotes_gpc. There are two problems with this. It has been removed in php6, so you cannot rely on it, and it does not escape all the special characters that can break a query, which is why it has been removed from php6.

 

You must use the mysql_real_escape_string() function in your code to prevent sql injection.

 

Since magic_quotes_gpc appears to be on, on your system, you have two choices, turn it off if you can (it can only be turned off in php.ini) or you must test if it is on in your code and use stripslashes() to remove the escape characters that it added before you use mysql_real_escape_string(). If you don't do this when magic_quotes_gpc is on, you will end up with double-escape characters. This is also another reason magic_quotes_gpc was removed in php6. Processor time is wasted on every form submission escaping some characters, then because not all the needed characters were escaped, you must waste more processor time testing for and removing the escape characters, only to spend more time using mysql_real_escape_string to finally escape all the special characters.