Page 1 of 1
sql injection
Posted: Mon Nov 08, 2004 11:19 am
by djot
-
Hi,
I read about many ways on how to do sql injection. Most of them are totally useless, if userinput is slashed generally with addslashes and quoted in single quotes.
Now my question is, do other characters like ; or -- or # or % get interpreted inside the quotes, or do they all fail, so the sql query would be injection safe?? If not, which characters/commands I have to filter also to be on the safe side?
e.g. SELECT * FROM tablename WHERE fieldname='totally''usless--injection%tries%%#'
djot
PS: BBCode failed to (only) show the characters bold :)
-
Posted: Mon Nov 08, 2004 1:16 pm
by Weirdan
% is interpreted as special character only if you perform [mysql_man]LIKE[/mysql_man] comparision. # and -- (as well as /* ) starts the comment if encountered
outside the quotes. AFAIR semicolon (
;) only have its special effect in mysql command line client.
instead of using addslashes I
highly recommend you to use [php_man]mysql_real_escape_string[/php_man] (to avoid encoding tricks).
PS: BBCode failed to (only) show the characters bold
you had extra space within one of the tags
Posted: Mon Nov 08, 2004 1:24 pm
by djot
-
Thx for the answer (and sorry for the space in the bbcode).
Anyway I don't understand why there are thousends of websites about sql injection with a large number of stupid sql examples containing things like 1=1, a=a, if 2 between 1 and 3 and things like that - and the solution is that simple - just mysql_real_escape_string the userinput and put it between single quotes, tzztztzzz.
djot
-
Posted: Mon Nov 08, 2004 1:34 pm
by Weirdan
Because people frequently forget to do those simple things. Most of the time they throw (supposed) integers from user input into the query. It's more common than unescaped strings.
Posted: Mon Nov 08, 2004 2:25 pm
by kettle_drum
To make things even easier for yourself, make your own function that you will put all user input through so you get into the habbit of doing it, and then if you find that a new type of injection is discovered you can simply change your function to protect against it rather than having to change hundreds of calls to escape strings.
Posted: Mon Nov 08, 2004 3:15 pm
by djot
-
Yep, I have an extra class for just sanitizing and formatting the sql statements to my needs. (Also for checking userinput and e.g. removing html; but that is off topic here, I want to keep the topic sql related only.)
Note: If magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice.
*quoted from
http://www.php.net/manual/en/function.m ... string.php
It's recommended to stripslashes first when register_globals is ON, but then you will screw up
\n or
\r\n, so I have a function to first ensure the returns will stay intact.
djot
-