-
Hi,
I read about many ways on how to do sql injection. Most of them are totally useless, if userinput is slashed generally with addslashes and quoted in single quotes.
Now my question is, do other characters like ; or -- or # or % get interpreted inside the quotes, or do they all fail, so the sql query would be injection safe?? If not, which characters/commands I have to filter also to be on the safe side?
e.g. SELECT * FROM tablename WHERE fieldname='totally''usless--injection%tries%%#'
djot
PS: BBCode failed to (only) show the characters bold :)
-
sql injection
Moderator: General Moderators
% is interpreted as special character only if you perform [mysql_man]LIKE[/mysql_man] comparision. # and -- (as well as /* ) starts the comment if encountered outside the quotes. AFAIR semicolon (;) only have its special effect in mysql command line client.
instead of using addslashes I highly recommend you to use [php_man]mysql_real_escape_string[/php_man] (to avoid encoding tricks).
instead of using addslashes I highly recommend you to use [php_man]mysql_real_escape_string[/php_man] (to avoid encoding tricks).
you had extra space within one of the tagsPS: BBCode failed to (only) show the characters bold![]()
-
Thx for the answer (and sorry for the space in the bbcode).
Anyway I don't understand why there are thousends of websites about sql injection with a large number of stupid sql examples containing things like 1=1, a=a, if 2 between 1 and 3 and things like that - and the solution is that simple - just mysql_real_escape_string the userinput and put it between single quotes, tzztztzzz.
djot
-
Thx for the answer (and sorry for the space in the bbcode).
Anyway I don't understand why there are thousends of websites about sql injection with a large number of stupid sql examples containing things like 1=1, a=a, if 2 between 1 and 3 and things like that - and the solution is that simple - just mysql_real_escape_string the userinput and put it between single quotes, tzztztzzz.
djot
-
-
kettle_drum
- DevNet Resident
- Posts: 1150
- Joined: Sun Jul 20, 2003 9:25 pm
- Location: West Yorkshire, England
To make things even easier for yourself, make your own function that you will put all user input through so you get into the habbit of doing it, and then if you find that a new type of injection is discovered you can simply change your function to protect against it rather than having to change hundreds of calls to escape strings.
-
Yep, I have an extra class for just sanitizing and formatting the sql statements to my needs. (Also for checking userinput and e.g. removing html; but that is off topic here, I want to keep the topic sql related only.)
It's recommended to stripslashes first when register_globals is ON, but then you will screw up \n or \r\n, so I have a function to first ensure the returns will stay intact.
djot
-
Yep, I have an extra class for just sanitizing and formatting the sql statements to my needs. (Also for checking userinput and e.g. removing html; but that is off topic here, I want to keep the topic sql related only.)
*quoted from http://www.php.net/manual/en/function.m ... string.phpNote: If magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice.
It's recommended to stripslashes first when register_globals is ON, but then you will screw up \n or \r\n, so I have a function to first ensure the returns will stay intact.
djot
-