Jump to content

Is this magic quotes doing this?

keldorn

By keldorn
in MySQL Help

 Share

Recommended Posts

keldorn Member

keldorn

Posted
Posted

I was validating a form input I tried first seeing If I could do an SQL injection with no validation. This was how my query was set up.

 

 

$var = $_POST['input'];

...mysql_query("UPDATE table SET table='{$var}' WHERE....

 

 

I tried inputing things like  x" WHERE  and """"""" ''''' '''"""etc.. int the form and it had no mysql errors. It just inserted it into the database like that.  :P

 

So does this have something to do with Magic quotes?

Link to comment
https://forums.phpfreaks.com/topic/177907-is-this-magic-quotes-doing-this/
Share on other sites
cags Member

cags

Posted
Posted

Your question seems a little vague. You say it just inserted into your database? As that is an UPDATE query not an INSERT statement I'm not sure what your getting at as your example injection attempt is blanked out.

 

Have you checked if your server has magic quotes enabled either in the php.ini or using get_magic_quotes_gpc? If they are enabled then this should prevent any SQL injection.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.