Jump to content

Recommended Posts

Is it just me, or is there nothing wrong with inserting $_POST and $_GET variables into SQL queries? I've seen a lot of:

mysql_query("SELECT * FROM users WHERE username='" . $_POST['username'] ."'");

 

because can't a user send along:

foo' OR 1=1 --

 

It seems like we are teaching new people to rely on Magic_quotes  :(

Link to comment
https://forums.phpfreaks.com/topic/86044-sql-injections/
Share on other sites

i guess putting the '' on your condition makes that a bit safe

if ever the user input wrong data it will give them an error and stop the query

 

so you or 1=1 will not affect your query it will just treat or 1=1 as string..

 

but if you dont put '' it would be very un safe i can even delete your table or db

 

edited.. i don't recommend using get or post directly it is still better to filter your variable before processing

 

Link to comment
https://forums.phpfreaks.com/topic/86044-sql-injections/#findComment-439420
Share on other sites

I know how to escape them. I probably was not conveying my point very clearly.

 

Lately, I've seen newer people post code that uses $_POST directly in their SQL statements, and I've seen almost nobody point it out.

 

Anyway, best method (I think(:

function escapeString($str) {
    if(get_magic_quotes_gpc())
        $str = stripslashes($str)

    return mysql_real_escape_string($str);
}

Link to comment
https://forums.phpfreaks.com/topic/86044-sql-injections/#findComment-439422
Share on other sites

Personally, I get a bit tired of pointing it out. Most people won't listen anyway, its the same as telling people thay should check there queries succeeded prior to attempting to use the results. Most newcomers just wan't to get the thing working, they don't care how reliable/safe its going to be.

Link to comment
https://forums.phpfreaks.com/topic/86044-sql-injections/#findComment-439441
Share on other sites

Is it just me, or is there nothing wrong with inserting $_POST and $_GET variables into SQL queries? I've seen a lot of:

mysql_query("SELECT * FROM users WHERE username='" . $_POST['username'] ."'");

 

because can't a user send along:

foo' OR 1=1 --

 

It seems like we are teaching new people to rely on Magic_quotes  :(

 

I have done it ... but you have to do :

 

{$_POST['username']} thats what i did and it worked.

Link to comment
https://forums.phpfreaks.com/topic/86044-sql-injections/#findComment-439476
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.