question about mysql injection

[php_novice2007]

Hi,

 

Does a MySQL injection attack only occur when the user is allowed to type something in which is used as part of a query?

 

What about forms where the user can only select from radio buttons/checkboxes/drop down lists.. They can't really do the multiple SQL thing can they?

 

Thanks~!

 

[chocopi]

They shouldnt be able to on the likes of radio boxes unless you were to use get in which case they could just changed the url

 

eg:

 

You want: http://www.yoursite.com/page.php?radio=hello

 

they could do: http://www.yoursite.com/page.php?radio=somesqlinjection

 

~ Chocopi

[php_novice2007]

so therefore if I only use $POST and no $GET at all then I should be fine?

 

 

[rarebit]

Anything which is sent to sever can be bogus, e.g. any form data whether GET or POST, even cookie data...

[dsfsdfsdfsdf]

Using combo/radio/whatever boxes are just as susceptible as text fields.

[php_novice2007]

So if I add slashes to everything I'll be ok?

 

 

[rarebit]

Your best using 'mysql_real_escape_string()'...

See: http://uk3.php.net/manual/en/function.mysql-real-escape-string.php

But as someone pointed out earlier, the '`' character is not removed but throws an error. So i've now put the following before the escape check:

function get_REQUEST($name)
{
$sret = "";

if (isset($_REQUEST[$name]))
{
	$sret = $_REQUEST[$name];
	$sret = str_replace("`","'", $sret);
	$sret = mysql_real_escape_string($sret);	//	check for injection attacks
}

return $sret;
}

[php_novice2007]

Hi,

 

I've got something like this, is that the same as what you've got?

 

$userid = $_POST['login'];
$passWord = $_POST['password'];

require("databaseInfo.php");
$dbtable = "users";
$link=mysql_connect("localhost", $username, $password) or die("Cannot connect to database");
  
//select database
@mysql_select_db($database) or die("Unable to select database");

if(get_magic_quotes_gpc()) {
      $userid = stripslashes($userid);
      $passWord = stripslashes($passWord);
} 
    
$query = sprintf("SELECT * FROM %s WHERE user_id = '%s'", $dbtable, mysql_real_escape_string($userid, $link));
$result=mysql_query($query, $link) or die("Unable to load selected table");

 

I think I copied the code from somewhere so not really sure what the magic_quotes_gpc do.. Do I still need your code to replace " ` " with " ' "?

 

Thanks! 

   

[php_novice2007]

By the way, if I have these code to stop SQL injection, does that mean a user name or password can't contain ` or ' s?

[chocopi]

no it can but the characters are escaped so in the case of ' it will become \'

 

So im guessing you know that with the backslash being there that the ' will be seen as a literal character and not a special one.

 

Also, can backticks actually be used for sql injection ???

And wouldn't it be better to use this:

 

function get_REQUEST($name)
{
$sret = "";

if (isset($_REQUEST[$name]))
{
	$sret = $_REQUEST[$name];
	$sret = str_replace("`","\`", $sret);
	$sret = mysql_real_escape_string($sret); // check for injection attacks
}

return $sret;
}

 

That way you are escaping the backtick without changing its value

 

~ Chocopi

[rarebit]

Your right, there was a post saying that it gave an error, however i've just tested on console and it's fine...

[scottybwoy]

You could just use this:

<?php
function escape_string($val) {
	$val = str_replace("`", "\`", $val);
	$val = mysql_real_escape_string($val); // check for injection attacks

	return $val;
}
?>

 

And use that instead of mysql_real_escape_string

 

Have fun

[nathanmaxsonadil]

so therefore if I only use $POST and no $GET at all then I should be fine?

 

 

no because someone can use somthing like firebug...