Thursday 14 June 2018

mysql real escape string - Sql injection attempt PHP 5.2.6




Using PHP 5.2.6 in XAMPP :
I read about sql injections here and tried that with the following login form :





and php code : 



$user = $_POST['user'];
$pass = $_POST['pass'];
$query = "Select * from users where user='$user' AND pass='$pass'";
echo $query;
mysql_connect('localhost','root','');

mysql_select_db('test');
$res = mysql_query($query);
if($res) $row = mysql_fetch_assoc($res);
if($row) echo 'yes';
?>


What I found out was, the $pass variable already had all the special characters escaped.
So, is there no need to use the mysql_real_escape_string in PHP 5.2.6 then?


Answer




It is likely your PHP server is configure to use Magic Quotes. A deprecated setting in PHP that automatically escapes all incoming data in a PHP script. It's deprecated and will be removed in PHP 6. Here are Zend's reasons for removing Magic Quotes.



It's better to not rely on 'magic' that makes many things work but breaks others. Explicitly escaping your input is more reliable and makes you design better code. For example, not all input needs to be escaped in the same way.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

php - file_get_contents shows unexpected output while reading a file

I want to output an inline jpg image as a base64 encoded string, however when I do this : $contents = file_get_contents($filename); print &q...