[nycphp-talk] Is there something wrong with this SQL query in PHP?
michael.southwell at nyphp.com
Wed Aug 15 10:14:26 EDT 2007
At 09:31 AM 8/15/2007, you wrote:
>The standard mysql_x() functions do not allow multiple queries, so
>you're not so worried about someone injecting drop table statements.
>Nevertheless, plenty of damage and/or disclosure can be performed with
>just a single query.
Just to emphasize and elaborate on Chris's point here, a query like this:
SELECT * FROM `jobsdb` WHERE `id`=1; DROP `jobsdb`
when it is sent to MySQL via mysql_query() or one of the other mysql
functions, will NOT execute the command following the semicolon. It
will however of course work if you are submitting it in the MySQL
Monitor or phpMyAdmin, because it is in fact a valid MySQL
instruction (actually, two of them).
But consider a query like this:
DELETE FROM `jobsdb` WHERE `id`=1 OR 1=1
where the 1 OR 1=1 is user input (rather than the expected 1 or 2 or
whatever). In this case, Chris's "plenty of damage" is possibly an
understatement, since this query will in fact be executed and all
rows will be deleted. In a case like this, you need to be checking
that your user is entering an expected kind of value, that is (in
this case), an integer, with the is_int() function, or (in other
cases) however you can.
The point is that you can't just rely on mysql_real_escape_string for
Michael Southwell, Vice President for Education
New York PHP
http://www.nyphp.com/training - In-depth PHP Training Courses
More information about the talk