Topic: question about mysql injection

[php_novice2007]

Hi,

Does a MySQL injection attack only occur when the user is allowed to type something in which is used as part of a query?

What about forms where the user can only select from radio buttons/checkboxes/drop down lists.. They can't really do the multiple SQL thing can they?

Thanks~!

[chocopi]

They shouldnt be able to on the likes of radio boxes unless you were to use get in which case they could just changed the url

eg:

You want: http://www.yoursite.com/page.php?radio=hello

they could do: http://www.yoursite.com/page.php?radio=somesqlinjection

~ Chocopi

[php_novice2007]

so therefore if I only use $POST and no $GET at all then I should be fine?

[rarebit]

Anything which is sent to sever can be bogus, e.g. any form data whether GET or POST, even cookie data...

[dsfsdfsdfsdf]

Using combo/radio/whatever boxes are just as susceptible as text fields.

[php_novice2007]

So if I add slashes to everything I'll be ok?

[rarebit]

Your best using 'mysql_real_escape_string()'...
See: http://uk3.php.net/manual/en/function.mysql-real-escape-string.php
But as someone pointed out earlier, the '`' character is not removed but throws an error. So i've now put the following before the escape check:

Code: [Select]

function get_REQUEST($name)
{
$sret = "";

if (isset($_REQUEST[$name]))
{
$sret = $_REQUEST[$name];
$sret = str_replace("`","'", $sret);
$sret = mysql_real_escape_string($sret); // check for injection attacks
}

return $sret;
}

[php_novice2007]

Hi,

I've got something like this, is that the same as what you've got?

Code: [Select]

$userid = $_POST['login'];
$passWord = $_POST['password'];

require("databaseInfo.php");
$dbtable = "users";
$link=mysql_connect("localhost", $username, $password) or die("Cannot connect to database");
 
//select database
@mysql_select_db($database) or die("Unable to select database");

if(get_magic_quotes_gpc()) {
      $userid = stripslashes($userid);
      $passWord = stripslashes($passWord);
}
   
$query = sprintf("SELECT * FROM %s WHERE user_id = '%s'", $dbtable, mysql_real_escape_string($userid, $link));
$result=mysql_query($query, $link) or die("Unable to load selected table");

I think I copied the code from somewhere so not really sure what the magic_quotes_gpc do.. Do I still need your code to replace " ` " with " ' "?

Thanks! 
   

[php_novice2007]

By the way, if I have these code to stop SQL injection, does that mean a user name or password can't contain ` or ' s?

[chocopi]

no it can but the characters are escaped so in the case of ' it will become \'

So im guessing you know that with the backslash being there that the ' will be seen as a literal character and not a special one.

Also, can backticks actually be used for sql injection ???
And wouldn't it be better to use this:

Code: [Select]

function get_REQUEST($name)
{
$sret = "";

if (isset($_REQUEST[$name]))
{
$sret = $_REQUEST[$name];
$sret = str_replace("`","\`", $sret);
$sret = mysql_real_escape_string($sret); // check for injection attacks
}

return $sret;
}
That way you are escaping the backtick without changing its value

~ Chocopi

[rarebit]

Your right, there was a post saying that it gave an error, however i've just tested on console and it's fine...

[scottybwoy]

You could just use this:

Code: [Select]

<?php
function escape_string($val) {
$val = str_replace("`", "\`", $val);
$val = mysql_real_escape_string($val); // check for injection attacks

return $val;
}
?>

And use that instead of mysql_real_escape_string

Have fun

[nathanmaxsonadil]

so therefore if I only use $POST and no $GET at all then I should be fine?

no because someone can use somthing like firebug...