SQL injection

gnznroses · 02-29-2008, 10:11 PM

I want to ensure that my scripts are safe against SQL injection, and i've read techniques, but i'm confused because even without using any security measures, i can't get injection to work in testing.

for example, on one form i ask for a username and do a search for it:

PHP Code:


		
			
$query = "SELECT id FROM users WHERE name='" . strtolower($userinfo['name']) . "'";

$result = mysql_query($query);

if (!$result){

//echo debug info

};

so i enter this as a username:

Quote:

a'; delete from delme where a='22

the query doesn't execute and triggers the debug info, which is as follows:

Quote:

Could not run name check
Magic quotes is disabled

query is:
SELECT id FROM users WHERE name='a'; delete from delme where a='22'

username was:
a'; delete from delme where a='22

you have an error in your sql syntax; check the manual that corresponds to your mysql server version for the right syntax to use near '; delete from delme where a='22'' at line 1

if i copy and paste that query, as listed above, mysql will run it and delete the row. so why doesn't this injection work?
i'm trying to understand what's going on and if i need to escape data at all.

nasty.web · 03-01-2008, 06:56 PM

PHP - MySQL doesn't support stacked queries. You can run only one query at a time.

You should still escape data to avoid any other types of sql injection. For example:

Code:

SELECT id FROM users WHERE name='a' OR BENCHMARK(1000000,SHA1(1))

gnznroses · 03-01-2008, 07:07 PM

oh, ok, thanks. so just use mysql_real_escape_string for each form input, and then i'm all set right?

nasty.web · 03-01-2008, 07:16 PM

I think, yes.

kyrie · 03-05-2008, 11:17 AM

mysql_real_escape_string is the function that will help us to prevent SQL injections attacks...