php_guest Posted July 8, 2010 Share Posted July 8, 2010 I am wondering if I need to use mysql_real_escape_string in SELECT sentences or is this needed only in INSERT and UPDATE sentences? Do I need to be carefull in search form where only select sentences are used? Quote Link to comment Share on other sites More sharing options...
fenway Posted July 8, 2010 Share Posted July 8, 2010 Always. Quote Link to comment Share on other sites More sharing options...
Mchl Posted July 8, 2010 Share Posted July 8, 2010 Suppose you have a query to check for user login <?php $query = "SELECT ID FROM users WHERE username = '{$_POST['username']}' AND password = MD5('{$_POST['password']}')"; $result = mysql_query[$query]; if(mysql_num_rows($result) > 0) { //do login stuff echo "You're now logged in"; } else { echo "Login incorrect, try again."; } Now let's say I use the login form to send a username like this: foo' OR 1; -- So the query sent to database will look like this: SELECT ID FROM users WHERE username = 'foo' OR 1;--' AND password = MD5('') (-- starts a comment in MySQL, just like // starts comment in PHP - everything after -- is ignored by database) This will in turn return all rows from users table, so mysql_num_rows() will return a number larger than 0 and the login will be successful Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.