View Full Version : SQL injection

03-01-2008, 11:35 PM
I want to ensure that my scripts are safe against SQL injection, and i've read techniques, but i'm confused because even without using any security measures, i can't get injection to work in testing.

for example, on one form i ask for a username and do a search for it:

$query = "SELECT id FROM users WHERE name='" . strtolower($userinfo['name']) . "'";
$result = mysql_query($query);
if (!$result){
//echo debug info

so i enter this as a username:

a'; delete from delme where a='22

the query doesn't execute and triggers the debug info, which is as follows:

Could not run name check
Magic quotes is disabled

query is:
SELECT id FROM users WHERE name='a'; delete from delme where a='22'

username was:
a'; delete from delme where a='22

you have an error in your sql syntax; check the manual that corresponds to your mysql server version for the right syntax to use near '; delete from delme where a='22'' at line 1

if i copy and paste that query, as listed above, mysql will run it and delete the row. so why doesn't this injection work?
i'm trying to understand what's going on and if i need to escape data at all.

03-01-2008, 11:37 PM
$query = "SELECT id FROM users WHERE name='" . mysql_real_escape_string(strtolower($userinfo['name'])) . "'";
$result = mysql_query($query) or die(mysql_error());
Try that.

03-02-2008, 01:00 AM
The php mysql client does not permit multiple queries separated with a semi-colon ; However, mysql itself does. So, the specific example you are trying will delete the information, but attempting to run it through php won't.

03-02-2008, 03:08 AM
ok, thanks guys. that explains it.