NYCPHP Meetup

[nycphp-talk] Is there something wrong with this SQL query in PHP?

Brian O'Connor gatzby3jr at gmail.com
Wed Aug 15 08:34:58 EDT 2007


>From what I understand, it's all queries that need this protection, not just
INSERT/UPDATE.

One example that Brian Dailey gave was with your original query

$query = "SELECT * FROM `jobsdb` WHERE `id` =".$_POST['id']."";

Someone could supply in $_POST['id']:

1; DROP `jobsdb`;

This could easily be transferred to:

SELECT * FROM `jobsdb` WHERE `id` = ".$_POST['id']."";
and $_POST['id'] could still contain 1; DROP `jobsdb`

 thus the full query would result in

SELECT * FROM `jobsdb` WHERE `id`=1; DROP `jobsdb`

This is my understanding however, and I could be wrong.  Any clarification
on the subject would be nice.

On 8/15/07, Anthony Wlodarski <aw at sap8.com> wrote:
>
> I ran a test (just added a SQL command, harmless one in a text field) to
> see
> what happens on SQL injection, without proper slashing or escaping
> (addslashes/mysql_real_escape_string).  I like mysql_real... cause it
> takes
> the guess work out of making the data safe.  Thanks everyone for the brief
> lesson on the dangers of this (now I get to go back to all my
> INSERT/UPDATE
> queries and add this functionality, better safe than sorry).
>
> Anthony Wlodarski
> Senior Technical Recruiter
> Shulman Fleming & Partners
> 646-285-0500 x230
> aw at sap8.com
>
> -----Original Message-----
> From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
> On
> Behalf Of Ben Sgro (ProjectSkyLine)
> Sent: Tuesday, August 14, 2007 9:15 PM
> To: NYPHP Talk
> Subject: Re: [nycphp-talk] Is there something wrong with this SQL query in
> PHP?
>
> heh,
>
> Yeah I guess. They weren't validating the users input. = ]
>
> - Ben
>
> Ben Sgro, Chief Engineer
> ProjectSkyLine - Defining New Horizons
>
> ----- Original Message -----
> From: "John Campbell" <jcampbell1 at gmail.com>
> To: "NYPHP Talk" <talk at lists.nyphp.org>
> Sent: Tuesday, August 14, 2007 8:31 PM
> Subject: Re: [nycphp-talk] Is there something wrong with this SQL query in
> PHP?
>
>
> >> They had the exact same problems w/XSS, no input validation.
> >
> > Input validation?  Don't you mean output escaping?  You must not allow
> > uber leet usernames like |<33|>.  :)
> >
> > -john cambpell
> > _______________________________________________
> > New York PHP Community Talk Mailing List
> > http://lists.nyphp.org/mailman/listinfo/talk
> >
> > NYPHPCon 2006 Presentations Online
> > http://www.nyphpcon.com
> >
> > Show Your Participation in New York PHP
> > http://www.nyphp.org/show_participation.php
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
>
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>



-- 
Brian O'Connor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070815/089524c1/attachment.html>


More information about the talk mailing list