NYCPHP Meetup

[nycphp-talk] Is there something wrong with this SQL query in PHP?

Michael Southwell michael.southwell at nyphp.com
Wed Aug 15 10:14:26 EDT 2007


At 09:31 AM 8/15/2007, you wrote:

>The standard mysql_x() functions do not allow multiple queries, so
>you're not so worried about someone injecting drop table statements.
>Nevertheless, plenty of damage and/or disclosure can be performed with
>just a single query.

Just to emphasize and elaborate on Chris's point here, a query like this:

SELECT * FROM `jobsdb` WHERE `id`=1; DROP `jobsdb`

when it is sent to MySQL via mysql_query() or one of the other mysql 
functions, will NOT execute the command following the semicolon. It 
will however of course work if you are submitting it in the MySQL 
Monitor or phpMyAdmin, because it is in fact a valid MySQL 
instruction (actually, two of them).

But consider a query like this:

DELETE FROM `jobsdb` WHERE `id`=1 OR 1=1

where the 1 OR 1=1 is user input (rather than the expected 1 or 2 or 
whatever). In this case, Chris's "plenty of damage" is possibly an 
understatement, since this query will in fact be executed and all 
rows will be deleted.  In a case like this, you need to be checking 
that your user is entering an expected kind of value, that is (in 
this case), an integer, with the is_int() function, or (in other 
cases) however you can.

The point is that you can't just rely on mysql_real_escape_string for 
protection.

Michael Southwell, Vice President for Education
New York PHP
http://www.nyphp.com/training - In-depth PHP Training Courses





More information about the talk mailing list