[nycphp-talk] Is there something wrong with this SQL query in PHP?
Anthony Wlodarski
aw at sap8.com
Wed Aug 15 08:42:45 EDT 2007
That would be horrendous if someone did that. Alright all my queries get
updated then. I didn't know that a SQL query string in PHP could contain
more than one command (I am so new to PHP/MySQL) but I guess as long as
there is a delimiter (";") any number of commands could be run, malicious or
not.
Anthony Wlodarski
Senior Technical Recruiter
Shulman Fleming & Partners
646-285-0500 x230
aw at sap8.com
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Brian O'Connor
Sent: Wednesday, August 15, 2007 8:35 AM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Is there something wrong with this SQL query in
PHP?
>From what I understand, it's all queries that need this protection, not
just INSERT/UPDATE.
One example that Brian Dailey gave was with your original query
$query = "SELECT * FROM `jobsdb` WHERE `id` =".$_POST['id']."";
Someone could supply in $_POST['id']:
1; DROP `jobsdb`;
This could easily be transferred to:
SELECT * FROM `jobsdb` WHERE `id` = ".$_POST['id']."";
and $_POST['id'] could still contain 1; DROP `jobsdb`
thus the full query would result in
SELECT * FROM `jobsdb` WHERE `id`=1; DROP `jobsdb`
This is my understanding however, and I could be wrong. Any clarification
on the subject would be nice.
On 8/15/07, Anthony Wlodarski <aw at sap8.com> wrote:
I ran a test (just added a SQL command, harmless one in a text field) to see
what happens on SQL injection, without proper slashing or escaping
(addslashes/mysql_real_escape_string). I like mysql_real... cause it takes
the guess work out of making the data safe. Thanks everyone for the brief
lesson on the dangers of this (now I get to go back to all my INSERT/UPDATE
queries and add this functionality, better safe than sorry).
Anthony Wlodarski
Senior Technical Recruiter
Shulman Fleming & Partners
646-285-0500 x230
aw at sap8.com
-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Ben Sgro (ProjectSkyLine)
Sent: Tuesday, August 14, 2007 9:15 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Is there something wrong with this SQL query in
PHP?
heh,
Yeah I guess. They weren't validating the users input. = ]
- Ben
Ben Sgro, Chief Engineer
ProjectSkyLine - Defining New Horizons
----- Original Message -----
From: "John Campbell" <jcampbell1 at gmail.com>
To: "NYPHP Talk" <talk at lists.nyphp.org >
Sent: Tuesday, August 14, 2007 8:31 PM
Subject: Re: [nycphp-talk] Is there something wrong with this SQL query in
PHP?
>> They had the exact same problems w/XSS, no input validation.
>
> Input validation? Don't you mean output escaping? You must not allow
> uber leet usernames like |<33|>. :)
>
> -john cambpell
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
--
Brian O'Connor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070815/2b17c0a6/attachment.html>
More information about the talk
mailing list