05-01-2008, 08:37 PM
|
#12 (permalink)
|
|
The Acquainted
Join Date: Nov 2007
Posts: 166
Thanks: 0
|
Quote:
Originally Posted by freenity
I haven't tried it, but I think you can make a sql injection even using mysql_real_escape_string(). (I don't know if mysql_real_escape_string() removes spaces or not)
Check this:
"SELECT * FROM user WHERE id = $id"
What id $id has this?
$id = "99999 OR id > 0";
This should list all the users. The problem there is that $id is not between ', so the attacker don't have to write '. But the problem are the spaces, if they are removed everything will be fine.
|
Since it is an integer, cast it as one. Don't try to use it as a string.
PHP Code:
$id = intval("99999 OR id > 0");
Problem solved.
__________________
Eric
|
|
|
|