NYCPHP Meetup

[nycphp-talk] Is there something wrong with this SQL query in PHP?

Anthony Wlodarski aw at sap8.com
Wed Aug 15 08:42:45 EDT 2007


That would be horrendous if someone did that.  Alright all my queries get
updated then.  I didn't know that a SQL query string in PHP could contain
more than one command (I am so new to PHP/MySQL) but I guess as long as
there is a delimiter (";") any number of commands could be run, malicious or
not.

 

Anthony Wlodarski

Senior Technical Recruiter

Shulman Fleming & Partners

646-285-0500 x230

aw at sap8.com

 

From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Brian O'Connor
Sent: Wednesday, August 15, 2007 8:35 AM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Is there something wrong with this SQL query in
PHP?

 

>From what I understand, it's all queries that need this protection, not
just INSERT/UPDATE.

One example that Brian Dailey gave was with your original query

$query = "SELECT * FROM `jobsdb` WHERE `id` =".$_POST['id']."";

Someone could supply in $_POST['id']:

1; DROP `jobsdb`;

This could easily be transferred to:

SELECT * FROM `jobsdb` WHERE `id` = ".$_POST['id'].""; 
and $_POST['id'] could still contain 1; DROP `jobsdb`

 thus the full query would result in

SELECT * FROM `jobsdb` WHERE `id`=1; DROP `jobsdb`

This is my understanding however, and I could be wrong.  Any clarification
on the subject would be nice. 

On 8/15/07, Anthony Wlodarski <aw at sap8.com> wrote:

I ran a test (just added a SQL command, harmless one in a text field) to see
what happens on SQL injection, without proper slashing or escaping
(addslashes/mysql_real_escape_string).  I like mysql_real... cause it takes 
the guess work out of making the data safe.  Thanks everyone for the brief
lesson on the dangers of this (now I get to go back to all my INSERT/UPDATE
queries and add this functionality, better safe than sorry). 

Anthony Wlodarski
Senior Technical Recruiter
Shulman Fleming & Partners
646-285-0500 x230
aw at sap8.com

-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Ben Sgro (ProjectSkyLine)
Sent: Tuesday, August 14, 2007 9:15 PM
To: NYPHP Talk 
Subject: Re: [nycphp-talk] Is there something wrong with this SQL query in
PHP?

heh,

Yeah I guess. They weren't validating the users input. = ]

- Ben

Ben Sgro, Chief Engineer
ProjectSkyLine - Defining New Horizons 

----- Original Message -----
From: "John Campbell" <jcampbell1 at gmail.com>
To: "NYPHP Talk" <talk at lists.nyphp.org >
Sent: Tuesday, August 14, 2007 8:31 PM
Subject: Re: [nycphp-talk] Is there something wrong with this SQL query in
PHP?


>> They had the exact same problems w/XSS, no input validation.
> 
> Input validation?  Don't you mean output escaping?  You must not allow
> uber leet usernames like |<33|>.  :)
>
> -john cambpell
> _______________________________________________ 
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php 

_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online 
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php



_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online 
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php




-- 
Brian O'Connor 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070815/2b17c0a6/attachment.html>


More information about the talk mailing list