Jump to content

Recommended Posts

Hey all.

 

I'm building a new site right now and would like to test its vulnerability to injection, in stages. Would any of you more experienced users be interested in attempting to inject into my DB from forms on my site, in a controlled atmosphere?

 

Send me a private message if you'd like to help and I'll explain what stage I'm at, and what I aim to gain by doing the testing.

 

Any help appreciated,

Woolyg.

 

Link to comment
https://forums.phpfreaks.com/topic/69973-mysql-injection/
Share on other sites

Here's another bit of info I'd love to clear up:

 

I've got a PHP page that takes POST input from a form on a previous page. Code here:

 

<?php

$username1 = $_POST['username'];
$username = mysql_real_escape_string($username1);
$info_title1 = $_POST['info_title'];
$info_title = mysql_real_escape_string($info_title1);

extract($_POST);
function check_field1($info_title)
{
  if(!preg_match("/[^a-zA-Z0-9\.\-\Ä\ä\Ö\ö\Ü\ü\'\?\!\*\#\@\$\%\(\)\=\\\\
   ]+$/s",$info_title))
    return TRUE;
  else
    return FALSE;
}

$error=0; // check up variable

/* get it checking */

if(!check_field1($info_title))
{
  $error1 = "-- You have entered a disallowed character in the Info Title. Please try again. --<br>";
  $error++; // $error=$error+1;
}


//Enter data

if($error == 0){
$query = "INSERT INTO table (username, info_title) ".
"VALUES ('$username', '$info_title')";

mysql_query($query) or die('Error, query failed : ' . mysql_error()); 
} else {
echo "That didn't work";
}
?>

 

 

My question is as follows:

If I have allowed the apostrophe character and the backslash character from my preg_match definition, will the mysql_real_escape_string still work OK in preventing injection?

 

Thanks,

Woolyg.

Link to comment
https://forums.phpfreaks.com/topic/69973-mysql-injection/#findComment-352573
Share on other sites

There's nothing "wrong" with these characters, and you may or may not want to permit them for your own reasons.  But it has nothing to do with mysql, as long as you espape them, they are treated just like normal characters.  You can't tell someone whose last name is O'Brien to change their last name.

Link to comment
https://forums.phpfreaks.com/topic/69973-mysql-injection/#findComment-354037
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.