Tuesday, 27 September 2016

php - SQL injection that gets around mysql_real_escape_string()



Is there an SQL injection possibility even when using mysql_real_escape_string() function?




Consider this sample situation. SQL is constructed in PHP like this:



$login = mysql_real_escape_string(GetFromPost('login'));
$password = mysql_real_escape_string(GetFromPost('password'));

$sql = "SELECT * FROM table WHERE login='$login' AND password='$password'";


I have heard numerous people say to me that code like that is still dangerous and possible to hack even with mysql_real_escape_string() function used. But I cannot think of any possible exploit?




Classic injections like this:



aaa' OR 1=1 --


do not work.



Do you know of any possible injection that would get through the PHP code above?


Answer




Consider the following query:



$iId = mysql_real_escape_string("1 OR 1=1");    
$sSql = "SELECT * FROM table WHERE id = $iId";


mysql_real_escape_string() will not protect you against this.
The fact that you use single quotes (' ') around your variables inside your query is what protects you against this. The following is also an option:



$iId = (int)"1 OR 1=1";

$sSql = "SELECT * FROM table WHERE id = $iId";

No comments:

Post a Comment

c++ - Does curly brackets matter for empty constructor?

Those brackets declare an empty, inline constructor. In that case, with them, the constructor does exist, it merely does nothing more than t...