possible to SQL Inject?

[bholzer]

$sql="INSERT INTO email (firstname, lastname, email)

VALUES

('$_POST[firstname]','$_POST[lastname]','$_POST')";

 

Im curious as to whether this query is possible to inject?

[trq]

Indeed it is. You have not validated your incoming data nor tried to protect it against any special characters being inserted.

[bholzer]

well, i tried to run some injection myself, and it seemed to be okay, ran quotes and single quotes and all sorts of conditional statements. What would it be vulnerable to?

[trq]

What would it be vulnerable to?

 

Any and all valid attacks. It has absolutely no protection at all (assuming magic_quotes_gpc is off, and even that offers little to no protection).

[bholzer]

What would it be vulnerable to?

 

Any and all valid attacks. It has absolutely no protection at all (assuming magic_quotes_gpc is off, and even that offers little to no protection).

 

It just seems to be posting any strings to the valid fields. Im trying to grasp the idea of security and injection and such. I just cant seem to do anything out of the ordinary!

[premiso]

You may want to read the tutorials located:

 

http://www.phpfreaks.com/tutorial/php-security

 

About PHP Security, if you are interested in it. No need for people to beat the topic to death as it has been covered (in that tutorial) and on this site many many many many many times.

[dpacmittal]

(assuming magic_quotes_gpc is off, and even that offers little to no protection).

 

I'd love to know more about this. I mean how'd you bypass magic_quotes?

 

@OP

I also this you have magic_quote_gpc on. Change its value to off in php.ini and then try the attacks again.

[bholzer]

 

 

I'd love to know more about this. I mean how'd you bypass magic_quotes?

 

@OP

I also this you have magic_quote_gpc on. Change its value to off in php.ini and then try the attacks again.

 

okay, im a total newbie, here, so im sorry, but youll have to bear with me, how do i setup php.ini, i havent set one up yet!