Re: Filtering (was storing single and double quote in MySQL)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

tedd wrote:

At 11:51 PM +0100 5/25/06, Chrome wrote:

[snip]
1. Anytime you put anything into a dB then use
mysql_real_escape_string() function. If you are NOT going to put it
in a dB, then you don't need mysql_real_escape_string() function --
understand?
[/snip]
Untrue... It isn't just inserting into a DB that requires this function... 
Consider:

User enters:
anything'; DROP TABLE x; SELECT 'a' = 'a

into the form for username... Now your unescaped SQL statement reads:
UPDATE members SET status='live' WHERE Username = 'anything'; DROP TABLE x; 
SELECT 'a' = 'a'
Where x can be a brute-forced table name... I can't remember if MySQL allows 
multiple statements but I seem to remember hearing that MySQL5 does... If
I'm wrong correct me and tell me to RTFM :)

Nice catch on the error... I didn't notice that :)

HTH (and that I'm right :) )

Dan


Dan:
A couple of things: One, I'm not sure if afan understands multiple statements, so I didn't want to confuse him; Two, I don't use multiple statements because they confuse me. I'm much more of a step-by-step programmer.
Dan was giving you an example of a really bad sql injection attack where instead of one query: 

select * from members where email='email_address';

you end up with three:

select * from members where email='anything';
DROP TABLE x;
SELECT 'a' = 'a';
The point being never trust user data - always escape it whether you're inserting, updating, deleting or selecting.
Using mysql_real_escape_string or your db's equivalent means it becomes only one query (which won't return any results, but stops your data from being destroyed).
Multiple statements means running multiple queries within the same function call: 

so

mysql_query("select * from members where email='anything';
DROP TABLE x;
SELECT 'a' = 'a';");
is actually 3 sql statements (select, drop table, select), but only one call to mysql_query.
Whether mysql_query allows this to happen is another thing and one left to the readers to check. 

--
Postgresql & php tutorials
http://www.designmagick.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux