TalkPHP - View Single Post - SQL Injection and mysql_real_escape_string

freenity · 05-01-2008, 02:20 PM

I haven't tried it, but I think you can make a sql injection even using mysql_real_escape_string(). (I don't know if mysql_real_escape_string() removes spaces or not)
Check this:

"SELECT * FROM user WHERE id = $id"

What id $id has this?
$id = "99999 OR id > 0";

This should list all the users. The problem there is that $id is not between ', so the attacker don't have to write '. But the problem are the spaces, if they are removed everything will be fine.

05-01-2008, 02:20 PM	#3 (permalink)
freenity The Acquainted Join Date: Feb 2008 Posts: 119 Thanks: 17	I haven't tried it, but I think you can make a sql injection even using mysql_real_escape_string(). (I don't know if mysql_real_escape_string() removes spaces or not) Check this: "SELECT * FROM user WHERE id = $id" What id $id has this? $id = "99999 OR id > 0"; This should list all the users. The problem there is that $id is not between ', so the attacker don't have to write '. But the problem are the spaces, if they are removed everything will be fine. __________________ http://feudal-times.net - My PBB Game http://gwphp.feudal-times.net - My Blog "Gaming With PHP"