Wednesday, 27 December 2017

php - SQL injection that gets around mysql_real_escape_string()

itemprop="text">

Is there an SQL injection possibility
even when using mysql_real_escape_string()
function?



Consider this sample situation. SQL is
constructed in PHP like
this:




$login =
            mysql_real_escape_string(GetFromPost('login'));
$password =
            mysql_real_escape_string(GetFromPost('password'));

$sql = "SELECT *
            FROM table WHERE login='$login' AND
            password='$password'";


I
have heard numerous people say to me that code like that is still dangerous and possible
to hack even with mysql_real_escape_string() function used. But
I cannot think of any possible exploit?



Classic
injections like
this:




aaa' OR 1=1
            --


do not
work.



Do you know of any possible injection that
would get through the PHP code above?


class="post-text" itemprop="text">
class="normal">Answer



Consider
the following query:



$iId =
            mysql_real_escape_string("1 OR 1=1"); 

$sSql = "SELECT * FROM table
            WHERE id =
            $iId";


mysql_real_escape_string()
will not protect you against this.
The fact that you use single
quotes (' ') around your variables inside your query is what
protects you against this. The following is also an
option:



$iId = (int)"1 OR
            1=1";
$sSql = "SELECT * FROM table WHERE id =
            $iId";

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

php - file_get_contents shows unexpected output while reading a file

I want to output an inline jpg image as a base64 encoded string, however when I do this : $contents = file_get_contents($filename); print ...