hassank1 Posted March 25, 2008 Share Posted March 25, 2008 is SQL injection possible in $_GET ? Link to comment https://forums.phpfreaks.com/topic/97785-sql-injection/ Share on other sites More sharing options...
obsidian Posted March 25, 2008 Share Posted March 25, 2008 SQL injection is possible any time you are using unsanitized user input in a query. Whether that comes from $_GET, $_POST or something else entirely is up to you and your script. As to whether it is possible in $_GET: yes, if you are using $_GET variables directly in a query without cleaning them up. Link to comment https://forums.phpfreaks.com/topic/97785-sql-injection/#findComment-500319 Share on other sites More sharing options...
moon 111 Posted March 25, 2008 Share Posted March 25, 2008 SQL injection has nothing to do with POST or GET. What it means is that if you have somecode like: <?php mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'". " AND password = '" . $_POST['password']."'"); ?> Someone can insert into username and password something like ' or 1=1-- which would turn the query into: <?php mysql_query("SELECT * FROM users WHERE username = '' OR 1=1--'". " AND password = '' OR 1=1--'"); ?> which will probably log him in as the first user. Link to comment https://forums.phpfreaks.com/topic/97785-sql-injection/#findComment-500320 Share on other sites More sharing options...
derrick1123 Posted March 25, 2008 Share Posted March 25, 2008 How could you stop this ??? Link to comment https://forums.phpfreaks.com/topic/97785-sql-injection/#findComment-500344 Share on other sites More sharing options...
obsidian Posted March 25, 2008 Share Posted March 25, 2008 How could you stop this ??? You just need to properly sanitize your user input. For instance, if you are expecting a username to be 20 characters containing alphanumeric characters with dashes and underscores, you can just match it against a regular expression like /^[\da-z-_]{6,20}$/ before you throw it into your query. If you do need to allow for characters that could be used for SQL injection attempts, just be sure to properly escape the variables using mysql_real_escape_string(). That's a great start, at least. Link to comment https://forums.phpfreaks.com/topic/97785-sql-injection/#findComment-500482 Share on other sites More sharing options...
discomatt Posted March 25, 2008 Share Posted March 25, 2008 Using mysql_real_escape_string is usually a sure-fire way of sanitizing user data before dropping it into your table. The only known vulnerability is if your script is changing the character set of the table on the fly. This is extremely rare, though, and I wouldn't be worried about it A more secure way, as stated by obsidian, is to use regex to filter all unwanted characters out of the input string. This is a much more tedious, careful, and secure approach, but it is also very time-consuming and for the most part, unnecessary. Link to comment https://forums.phpfreaks.com/topic/97785-sql-injection/#findComment-500497 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.