php_guest Posted July 8, 2010 Share Posted July 8, 2010 I am wondering if I need to use mysql_real_escape_string in SELECT sentences or is this needed only in INSERT and UPDATE sentences? Do I need to be carefull in search form where only select sentences are used? Link to comment https://forums.phpfreaks.com/topic/207158-do-i-need-to-use-mysql_real_escape_string-in-select-queries/ Share on other sites More sharing options...
fenway Posted July 8, 2010 Share Posted July 8, 2010 Always. Link to comment https://forums.phpfreaks.com/topic/207158-do-i-need-to-use-mysql_real_escape_string-in-select-queries/#findComment-1083159 Share on other sites More sharing options...
Mchl Posted July 8, 2010 Share Posted July 8, 2010 Suppose you have a query to check for user login <?php $query = "SELECT ID FROM users WHERE username = '{$_POST['username']}' AND password = MD5('{$_POST['password']}')"; $result = mysql_query[$query]; if(mysql_num_rows($result) > 0) { //do login stuff echo "You're now logged in"; } else { echo "Login incorrect, try again."; } Now let's say I use the login form to send a username like this: foo' OR 1; -- So the query sent to database will look like this: SELECT ID FROM users WHERE username = 'foo' OR 1;--' AND password = MD5('') (-- starts a comment in MySQL, just like // starts comment in PHP - everything after -- is ignored by database) This will in turn return all rows from users table, so mysql_num_rows() will return a number larger than 0 and the login will be successful Link to comment https://forums.phpfreaks.com/topic/207158-do-i-need-to-use-mysql_real_escape_string-in-select-queries/#findComment-1083161 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.