Jump to content

Is this magic quotes doing this?


Recommended Posts

I was validating a form input I tried first seeing If I could do an SQL injection with no validation. This was how my query was set up.



$var = $_POST['input'];

...mysql_query("UPDATE table SET table='{$var}' WHERE....



I tried inputing things like  x" WHERE  and """"""" ''''' '''"""etc.. int the form and it had no mysql errors. It just inserted it into the database like that.  :P


So does this have something to do with Magic quotes?

Link to comment
Share on other sites

Your question seems a little vague. You say it just inserted into your database? As that is an UPDATE query not an INSERT statement I'm not sure what your getting at as your example injection attempt is blanked out.


Have you checked if your server has magic quotes enabled either in the php.ini or using get_magic_quotes_gpc? If they are enabled then this should prevent any SQL injection.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.