[nycphp-talk] Is there something wrong with this SQL query in PHP?
Ben Sgro (ProjectSkyLine)
ben at projectskyline.com
Tue Aug 14 17:14:37 EDT 2007
I just did a security audit for a site. This was a huge problem they had:
doing, "...where id = $_POST['id']"
Not only can you run sql commands you could update all the records where
id=1 or id > 1
via SQL injection.
The larger problem they had was that all the sql was being hardcoded, no use
of a function
anywhere. We had to go back and remove all the SQL to be called from a
then have that function do the proper validation.
They had the exact same problems w/XSS, no input validation.
Chris, nice book btw, my #1 reference for PHP Security.
Ben Sgro, Chief Engineer
ProjectSkyLine - Defining New Horizons
This e-mail is confidential information intended only for the use of the
individual to whom it is addressed.
----- Original Message -----
From: "csnyder" <chsnyder at gmail.com>
To: "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Tuesday, August 14, 2007 5:00 PM
Subject: Re: [nycphp-talk] Is there something wrong with this SQL query in
> On 8/14/07, Anthony Wlodarski <aw at sap8.com> wrote:
>> So I will definitely in the future keep an out for direct $_POST
>> directly in a SQL query (I will just save a local copy from now on and
> No, you're missing the point. It isn't direct use of the variable from
> $_POST, it's that the value might contain quotes or other characters
> that can cause the database to execute SQL that you don't expect.
> Use the mysql_real_escape_string() function on all values before
> including them in a query:
> $query = "SELECT * FROM `jobsdb` WHERE `id`
> Chris Snyder
> New York PHP Community Talk Mailing List
> NYPHPCon 2006 Presentations Online
> Show Your Participation in New York PHP
More information about the talk