Friday 13 October 2017

php - SQL injection that gets around mysql_real_escape_string()

itemprop="text">


Is there an SQL injection
possibility even when using mysql_real_escape_string()
function?



Consider this sample situation. SQL is
constructed in PHP like
this:



$login =
            mysql_real_escape_string(GetFromPost('login'));
$password =
            mysql_real_escape_string(GetFromPost('password'));

$sql = "SELECT *
            FROM table WHERE login='$login' AND
            password='$password'";



I
have heard numerous people say to me that code like that is still dangerous and possible
to hack even with mysql_real_escape_string() function used. But
I cannot think of any possible exploit?



Classic
injections like this:



aaa' OR 1=1
            --


do not
work.




Do you know of any possible
injection that would get through the PHP code above?



Answer




Consider the following
query:



$iId =
            mysql_real_escape_string("1 OR 1=1"); 
$sSql = "SELECT * FROM table WHERE id =
            $iId";


mysql_real_escape_string()
will not protect you against this.
The fact that you use single
quotes (' ') around your variables inside your query is what
protects you against this. The following is also an
option:




$iId = (int)"1
            OR 1=1";
$sSql = "SELECT * FROM table WHERE id =
            $iId";

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

php - file_get_contents shows unexpected output while reading a file

I want to output an inline jpg image as a base64 encoded string, however when I do this : $contents = file_get_contents($filename); print &q...