Jump to content

I've seen enough SQL injections...


zeeman48

Recommended Posts

@$db = mysqli_connect('localhost', 'root', 'root', 'blog');

$query = "SELECT * FROM entries WHERE title = '".$_GET['query']."';";
$result = mysqli_query($db, $query);

 

If I visited that page via this url:

script.php?query=blah' OR '1

 

That would make query look like this:

$query = "SELECT * FROM entries WHERE title = 'blah' OR '1';";

 

Of course, that's just a super simple example, but you could easily attack other parts of the DB and get user info.

 

No, but it's the most common/simplistic example of why you should always escape any string data that you'll use in a query.  Escaping nullifies the ' characters that Philip used in his example, which would result in a bad query and no results for the attacker to poach.

No, but it's the most common/simplistic example of why you should always escape any string data that you'll use in a query.

 

You should always sanitize any data that you use in a query, whether that means escaping or doing something else to sanitize the data.  Escaping won't help you if you're using user data in an unquoted part of the query (unquoted integer in a limit or order by, table name reference, etc).

No, but it's the most common/simplistic example of why you should always escape any string data that you'll use in a query.

 

You should always sanitize any data that you use in a query, whether that means escaping or doing something else to sanitize the data.  Escaping won't help you if you're using user data in an unquoted part of the query (unquoted integer in a limit or order by, table name reference, etc).

 

...obviously.  Since the example/joke is an incoming, unsanitized string, that's what I addressed.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.