TalkPHP - View Single Post

Village Idiot · 12-08-2007, 07:16 PM

Always single quote your variables, otherwise injection is easy (even if cleaned). For instance

PHP Code:


			
 $var = "1 OR 1=1 --";
$query = mysql_query("SELECT * FROM `users` WHERE `id` = $var");
//the query is now
$query = mysql_query("SELECT * FROM `users` WHERE `id` = 1 OR 1=1 --");

Even if you clean that, the injection will work, now if you change it to

PHP Code:


			
 $query = mysql_query("SELECT * FROM `users` WHERE `id` = '$var'");

The hacker would have to put a single quote to put a command in, the single quote would be escaped. Turning the query into

PHP Code:


			
 $query = mysql_query("SELECT * FROM `users` WHERE `id` = '1 OR 1=1 --'");

All types must be quoted, mysql knows how to deal with it.

12-08-2007, 07:16 PM	#9 (permalink)
Village Idiot Wizard Join Date: Sep 2007 Posts: 1,299 Thanks: 17	Always single quote your variables, otherwise injection is easy (even if cleaned). For instance PHP Code: $var = "1 OR 1=1 --"; $query = mysql_query("SELECT * FROM `users` WHERE `id` = $var"); //the query is now $query = mysql_query("SELECT * FROM `users` WHERE `id` = 1 OR 1=1 --"); Even if you clean that, the injection will work, now if you change it to PHP Code: $query = mysql_query("SELECT * FROM `users` WHERE `id` = '$var'"); The hacker would have to put a single quote to put a command in, the single quote would be escaped. Turning the query into PHP Code: $query = mysql_query("SELECT * FROM `users` WHERE `id` = '1 OR 1=1 --'"); All types must be quoted, mysql knows how to deal with it. __________________