...

View Full Version : SQL injection



gnznroses
03-01-2008, 10:35 PM
I want to ensure that my scripts are safe against SQL injection, and i've read techniques, but i'm confused because even without using any security measures, i can't get injection to work in testing.

for example, on one form i ask for a username and do a search for it:



$query = "SELECT id FROM users WHERE name='" . strtolower($userinfo['name']) . "'";
$result = mysql_query($query);
if (!$result){
//echo debug info
};

so i enter this as a username:


a'; delete from delme where a='22

the query doesn't execute and triggers the debug info, which is as follows:



Could not run name check
Magic quotes is disabled

query is:
SELECT id FROM users WHERE name='a'; delete from delme where a='22'

username was:
a'; delete from delme where a='22

you have an error in your sql syntax; check the manual that corresponds to your mysql server version for the right syntax to use near '; delete from delme where a='22'' at line 1


if i copy and paste that query, as listed above, mysql will run it and delete the row. so why doesn't this injection work?
i'm trying to understand what's going on and if i need to escape data at all.

_Aerospace_Eng_
03-01-2008, 10:37 PM
$query = "SELECT id FROM users WHERE name='" . mysql_real_escape_string(strtolower($userinfo['name'])) . "'";
$result = mysql_query($query) or die(mysql_error());
Try that.

CFMaBiSmAd
03-02-2008, 12:00 AM
The php mysql client does not permit multiple queries separated with a semi-colon ; However, mysql itself does. So, the specific example you are trying will delete the information, but attempting to run it through php won't.

gnznroses
03-02-2008, 02:08 AM
ok, thanks guys. that explains it.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum