sql injection

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
djot
Forum Contributor
Posts: 313
Joined: Wed Jan 14, 2004 10:21 am
Location: planet earth
Contact:

sql injection

Post by djot »

-
Hi,

I read about many ways on how to do sql injection. Most of them are totally useless, if userinput is slashed generally with addslashes and quoted in single quotes.

Now my question is, do other characters like ; or -- or # or % get interpreted inside the quotes, or do they all fail, so the sql query would be injection safe?? If not, which characters/commands I have to filter also to be on the safe side?

e.g. SELECT * FROM tablename WHERE fieldname='totally''usless--injection%tries%%#'

djot

PS: BBCode failed to (only) show the characters bold :)
-
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

% is interpreted as special character only if you perform [mysql_man]LIKE[/mysql_man] comparision. # and -- (as well as /* ) starts the comment if encountered outside the quotes. AFAIR semicolon (;) only have its special effect in mysql command line client.

instead of using addslashes I highly recommend you to use [php_man]mysql_real_escape_string[/php_man] (to avoid encoding tricks).
PS: BBCode failed to (only) show the characters bold :)
you had extra space within one of the tags
djot
Forum Contributor
Posts: 313
Joined: Wed Jan 14, 2004 10:21 am
Location: planet earth
Contact:

Post by djot »

-
Thx for the answer (and sorry for the space in the bbcode).

Anyway I don't understand why there are thousends of websites about sql injection with a large number of stupid sql examples containing things like 1=1, a=a, if 2 between 1 and 3 and things like that - and the solution is that simple - just mysql_real_escape_string the userinput and put it between single quotes, tzztztzzz.

djot
-
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Because people frequently forget to do those simple things. Most of the time they throw (supposed) integers from user input into the query. It's more common than unescaped strings.
kettle_drum
DevNet Resident
Posts: 1150
Joined: Sun Jul 20, 2003 9:25 pm
Location: West Yorkshire, England

Post by kettle_drum »

To make things even easier for yourself, make your own function that you will put all user input through so you get into the habbit of doing it, and then if you find that a new type of injection is discovered you can simply change your function to protect against it rather than having to change hundreds of calls to escape strings.
djot
Forum Contributor
Posts: 313
Joined: Wed Jan 14, 2004 10:21 am
Location: planet earth
Contact:

Post by djot »

-
Yep, I have an extra class for just sanitizing and formatting the sql statements to my needs. (Also for checking userinput and e.g. removing html; but that is off topic here, I want to keep the topic sql related only.)
Note: If magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice.
*quoted from http://www.php.net/manual/en/function.m ... string.php

It's recommended to stripslashes first when register_globals is ON, but then you will screw up \n or \r\n, so I have a function to first ensure the returns will stay intact.

djot
-
Post Reply