Prevent SQL Injection by escaping?

[resting]

I seem to remember I'd read somewhere that we should escape all user input to prevent SQL injections. I did a test, but found no difference to it.

 

The query

$query ="SELECT * FROM login WHERE username = '$username' AND password = '$password'"

;

 

Top portion shows the unescaped results. Bottom the escaped results. Both queries returned results.

 

Any example to show what good can mysql_real_escape_string do?

[Alex]

On the first example without mysql_real_escape string you could easily enter ' or 1=1, which would make the query selected where the username and password are correct OR where 1=1 (which is everywhere, because it's always true).

 

The second example where you're using mysql_real_escape_string, instead of or 1=1 actually being processed it's included in the value for password. So in this case it's password='1 or 1=1'.

[Stephen]

I the injection would have not been "1' OR '1=1", but rather:

1' OR '1'='1

Resulting in an unescaped result of:

SELECT * FROM login WHERE username = '1' AND password = '1' OR '1'='1'

 

Escaped:

SELECT * FROM login WHERE username = '1' AND password = '1\' OR \'1\'=\'1'

 

Try your example again with:

username: a username that works (I guess you used "1" before)

password: 1' OR '1'='1

[resting]

This is the result if i used 1' or '1' = '1

The escaped query passed and still found 2 records (which is all i entered for the database).

I paste the exact escaped query into mysql query browser. strange thing is it didn't manage to find any rows.

 

[Bricktop]

Hi resting,

 

Have a look at Daniel's excellent PHP Security Tutorial for a comprehensive guide on this. 

 

Hope this helps.