Pancake Posted January 15, 2008 Share Posted January 15, 2008 Is it just me, or is there nothing wrong with inserting $_POST and $_GET variables into SQL queries? I've seen a lot of: mysql_query("SELECT * FROM users WHERE username='" . $_POST['username'] ."'"); because can't a user send along: foo' OR 1=1 -- It seems like we are teaching new people to rely on Magic_quotes Quote Link to comment https://forums.phpfreaks.com/topic/86044-sql-injections/ Share on other sites More sharing options...
KrisNz Posted January 15, 2008 Share Posted January 15, 2008 If you're asking if its o.k to do that, then no its not. Haven't you answered your own question on this one? Quote Link to comment https://forums.phpfreaks.com/topic/86044-sql-injections/#findComment-439410 Share on other sites More sharing options...
kickassamd Posted January 15, 2008 Share Posted January 15, 2008 i recommend that you use addslashes() or mysql_real_escape_string(). Quote Link to comment https://forums.phpfreaks.com/topic/86044-sql-injections/#findComment-439415 Share on other sites More sharing options...
teng84 Posted January 15, 2008 Share Posted January 15, 2008 i guess putting the '' on your condition makes that a bit safe if ever the user input wrong data it will give them an error and stop the query so you or 1=1 will not affect your query it will just treat or 1=1 as string.. but if you dont put '' it would be very un safe i can even delete your table or db edited.. i don't recommend using get or post directly it is still better to filter your variable before processing Quote Link to comment https://forums.phpfreaks.com/topic/86044-sql-injections/#findComment-439420 Share on other sites More sharing options...
Pancake Posted January 15, 2008 Author Share Posted January 15, 2008 I know how to escape them. I probably was not conveying my point very clearly. Lately, I've seen newer people post code that uses $_POST directly in their SQL statements, and I've seen almost nobody point it out. Anyway, best method (I think(: function escapeString($str) { if(get_magic_quotes_gpc()) $str = stripslashes($str) return mysql_real_escape_string($str); } Quote Link to comment https://forums.phpfreaks.com/topic/86044-sql-injections/#findComment-439422 Share on other sites More sharing options...
Pancake Posted January 15, 2008 Author Share Posted January 15, 2008 Examples - http://www.phpfreaks.com/forums/index.php/topic,177199.0.html - http://www.phpfreaks.com/forums/index.php/topic,177132.0.html (I'm assuming cpg_db_query doesn't auto-escape queries?) Quote Link to comment https://forums.phpfreaks.com/topic/86044-sql-injections/#findComment-439424 Share on other sites More sharing options...
trq Posted January 15, 2008 Share Posted January 15, 2008 Personally, I get a bit tired of pointing it out. Most people won't listen anyway, its the same as telling people thay should check there queries succeeded prior to attempting to use the results. Most newcomers just wan't to get the thing working, they don't care how reliable/safe its going to be. Quote Link to comment https://forums.phpfreaks.com/topic/86044-sql-injections/#findComment-439441 Share on other sites More sharing options...
Pancake Posted January 15, 2008 Author Share Posted January 15, 2008 Ahh.. you have a good point there.. I've only been on this forum for so long Quote Link to comment https://forums.phpfreaks.com/topic/86044-sql-injections/#findComment-439468 Share on other sites More sharing options...
EchoFool Posted January 15, 2008 Share Posted January 15, 2008 Is it just me, or is there nothing wrong with inserting $_POST and $_GET variables into SQL queries? I've seen a lot of: mysql_query("SELECT * FROM users WHERE username='" . $_POST['username'] ."'"); because can't a user send along: foo' OR 1=1 -- It seems like we are teaching new people to rely on Magic_quotes I have done it ... but you have to do : {$_POST['username']} thats what i did and it worked. Quote Link to comment https://forums.phpfreaks.com/topic/86044-sql-injections/#findComment-439476 Share on other sites More sharing options...
Pancake Posted January 15, 2008 Author Share Posted January 15, 2008 "INSERT INTO ... WHERE username='". $_POST['username'] ."'" is the same as "INSERT INTO ... WHERE username="{$_POST['username']}" Quote Link to comment https://forums.phpfreaks.com/topic/86044-sql-injections/#findComment-439478 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.