[nycphp-talk] Is there something wrong with this SQL query in PHP?

Ben Sgro (ProjectSkyLine) ben at
Tue Aug 14 17:14:37 EDT 2007


I just did a security audit for a site. This was a huge problem they had:

doing, "...where id = $_POST['id']"

Not only can you run sql commands you could update all the records where 
id=1 or id > 1
via SQL injection.

The larger problem they had was that all the sql was being hardcoded, no use 
of a function
anywhere. We had to go back and remove all the SQL to be called from a 
then have that function do the proper validation.

They had the exact same problems w/XSS, no input validation.

Chris, nice book btw, my #1 reference for PHP Security.

- Ben

Ben Sgro, Chief Engineer
ProjectSkyLine - Defining New Horizons

This e-mail is confidential information intended only for the use of the 
individual to whom it is addressed.
----- Original Message ----- 
From: "csnyder" <chsnyder at>
To: "NYPHP Talk" <talk at>
Sent: Tuesday, August 14, 2007 5:00 PM
Subject: Re: [nycphp-talk] Is there something wrong with this SQL query in 

> On 8/14/07, Anthony Wlodarski <aw at> wrote:
>> So I will definitely in the future keep an out for direct $_POST 
>> variables
>> directly in a SQL query (I will just save a local copy from now on and 
>> use
>> that.).
> No, you're missing the point. It isn't direct use of the variable from
> $_POST, it's that the value might contain quotes or other characters
> that can cause the database to execute SQL that you don't expect.
> Use the mysql_real_escape_string() function on all values before
> including them in a query:
> $query = "SELECT * FROM `jobsdb` WHERE `id`
> =".mysql_real_escape_string($_POST['id'])."";
> -- 
> Chris Snyder
> _______________________________________________
> New York PHP Community Talk Mailing List
> NYPHPCon 2006 Presentations Online
> Show Your Participation in New York PHP

More information about the talk mailing list