Jump to content

Recommended Posts

No, I just wanted to make sure before I do run it because I will make the change on a live site.

 

Just make sure you are sanitizing the variable input, and you should be fine. As it is, though, unless you're cleaning those variables, you'll be open to SQL injection.

Link to comment
https://forums.phpfreaks.com/topic/76424-solved-mysql-syntax/#findComment-387025
Share on other sites

Can you explain that a little more in depth, when you say "sanitizing" & "cleaning"?

 

There are some threads here in the forums that can probably explain more in-depth than I have time for right now, but let's use the following example to show you what I mean:

 

Here is your current query:

SELECT * FROM subscribers WHERE (ResponderID = '$Responder_ID' OR ResponderID = '0')  AND EmailAddress = '$Email_Address'

 

You are obviously expecting to have a numeric entry for ResponderID, but if I were to try to do a SQL injection, I could provide you with the following string for my $Responder_ID variable:

0' OR 1=1); --

 

Now, if you're familiar with SQL syntax, you recognize the "--" as a comment, so your query all of a sudden looks like this:

SELECT * FROM subscribers WHERE (ResponderID = '0' OR 1=1) -- ' OR ResponderID = '0')  AND EmailAddress = '$Email_Address'

 

Notice that I've commented out the remainder of your query, so what is executed is actually everything up to the comment, effectively returning me the first user record in the database, which is often the admin account. This is a very common SQL injection technique, and it can be avoided quite easily by simply sanitizing you input by escaping all characters that shouldn't be there. You can either white list your acceptable values for your variables, or if it's a string entry, you can just use mysql_real_escape_string() to escape the quote I entered or any other dangerous characters:

 

<?php
$Responder_ID = mysql_real_escape_string($Responder_ID);
$Email_Address = mysql_real_escape_string($Email_Address);

mysql_query("SELECT * FROM subscribers WHERE (ResponderID = '$Responder_ID' OR ResponderID = '0')  AND EmailAddress = '$Email_Address'");
?>

 

Hope this helps in getting you on the right track to a safer site!

Link to comment
https://forums.phpfreaks.com/topic/76424-solved-mysql-syntax/#findComment-387048
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.