Jump to content

Is this magic quotes doing this?

keldorn

By keldorn
in MySQL Help

Recommended Posts

keldorn Member

keldorn

Posted
Posted

I was validating a form input I tried first seeing If I could do an SQL injection with no validation. This was how my query was set up.

 

 

$var = $_POST['input'];

...mysql_query("UPDATE table SET table='{$var}' WHERE....

 

 

I tried inputing things like  x" WHERE  and """"""" ''''' '''"""etc.. int the form and it had no mysql errors. It just inserted it into the database like that.  :P

 

So does this have something to do with Magic quotes?

Link to comment
https://forums.phpfreaks.com/topic/177907-is-this-magic-quotes-doing-this/
Share on other sites
cags Member

cags

Posted
Posted

Your question seems a little vague. You say it just inserted into your database? As that is an UPDATE query not an INSERT statement I'm not sure what your getting at as your example injection attempt is blanked out.

 

Have you checked if your server has magic quotes enabled either in the php.ini or using get_magic_quotes_gpc? If they are enabled then this should prevent any SQL injection.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.