Question about SQL Injection in PHP?

Question:

alex

2008-07-13 17:51:40 UTC

I saw someone write code like this:

$sql = "select Password from user where EmailAddress='" . $_REQUEST['EmailAddress'] . "'";
mysql_query($sql);
... etc ...

When I pointed out that this code is vulnerable to SQL Injection, the coder said "prove it!"... Well, I went and tried it on the test website but it appears that PHP has some sort of builtin protection... The characters get automatically escaped.. Where is this documented?

Thanks

Four answers:

2008-07-13 18:07:06 UTC

Yeah, "magic" quotes are a royal pain, and anyway, if you bind an array of PHP variables to MySQL variables, you'll easily eliminate SQL injection without screwing up your quotes with backslashes in place of the pairing that is the proper form of escaping in MySQL anyway!

Example: $stmt = $db->query('INSERT IGNORE INTO mytable(col1, col2, col3) VALUES(:col1, :col2, :col3)',

array($col1, $col2, $col3));

2016-10-31 04:46:18 UTC

Any container that someone fills on a sort which you technique to a database CAN comprise vicious piece of code. to steer away from this, you should income archives till now putting (or updating) your tables. Say you have a container "address" (often long), set as a "varchar" (a hundred): that a hundred characters would be a command! Worse: fields defined as "text cloth". - till now putting/updating, verify those string queries for malicious code, instructions and so on (words like "insert", "delete", "decide on", "create", document extensions which includes "asm","exe"), or non-texts (ie characters below 0x1F) and reject in case you detect one. even with the undeniable fact that, don't be too paranoid: in the adventure that your web site is respectable, so would be your travellers. in simple terms make an computerized DB backup on an accepted basis.

2008-07-13 17:58:31 UTC

Almost every site I have tried is not vulnerable to SQL Injection.

covinher

2008-07-13 17:55:21 UTC

probably magic quotes:

http://us3.php.net/magic_quotes

Magic Quotes is a process that automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.

ⓘ

This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.

about - legalese