|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 132
Members: 0
Total: 132
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Is this... ? |
|
Posted: Tue Jul 27, 2004 5:42 pm |
|
|
rain |
Regular user |
|
|
Joined: Jun 29, 2004 |
Posts: 12 |
|
|
|
|
|
|
|
Code: |
$result=mysql_query("SELECT * FROM user WHERE id='$id'",$db);
$row=mysql_fetch_row($result);
titulo("$row[1]");
echo"<p>$row[2]</p>";
|
Is this vurnable to sql injection? I think it is??? |
|
|
|
|
|
|
|
|
Posted: Fri Aug 13, 2004 12:14 am |
|
|
Imster |
Beginner |
|
|
Joined: Aug 13, 2004 |
Posts: 3 |
|
|
|
|
|
|
|
Quote: | Code:
$result=mysql_query("SELECT * FROM user WHERE id='$id'",$db);
$row=mysql_fetch_row($result);
titulo("$row[1]");
echo"<p>$row[2]</p>";
Is this vurnable to sql injection? I think it is??? |
It depends on the variable $id, if you are using stripslashes() then your fairly safe (safer than not using it anyway).
Code: |
$id = stripslashes($id);
$result=mysql_query("SELECT * FROM user WHERE id='$id'",$db);
$row=mysql_fetch_row($result);
titulo("$row[1]");
echo"<p>$row[2]</p>";
|
Or if your going to be passing all sorts of variables at different times on different pages...you could make a custom function and include it on all pages where you want to make a variable safe. For example:
Make the file safe_inc.php and put:
Code: |
function MakeSafe($sfe)
{
$sfe = stripslashes($sfe);
// add any custom code to make vars safe
return $sfe;
}
|
Then in the page you want to make safe...add this to the beginning:
Code: |
include_once('safe_inc.php');
|
And then when you want to make a var safe do:
Code: |
MakeSafe($variable_name);
|
I know its a long post to a simple question but I just wanted to show the methods to make vars safe in PHP in case any of you were at all interested. If not then I just wasted a minute of your life..
(Ps hi people im new here) |
|
|
|
|
|
|
|
|
Posted: Sun Aug 15, 2004 9:30 pm |
|
|
madman |
Active user |
|
|
Joined: May 24, 2004 |
Posts: 46 |
|
|
|
|
|
|
|
Just an addition. Use addslashes instead of stripslashes.
This code can be used to sanitize single- or double-quote regardless of magic quotes in effect:
Code: | function quote_me($str) {
while (preg_match('/\[\'"]?/', $str)) $str = stripslashes($str);
return addslashes($str);
}
$id = "0' OR password<>'";
$id = quote_me($id);
$sql = "SELECT username FROM table WHERE id = '$id'"; |
Use the previous method (that was called "safe" stripslashes), this is what we got:
Code: | SELECT username FROM table WHERE id = '0' OR password<>'' |
It will produce a doom!
Using addslashes, the SQL query string would be:
Code: | SELECT username FROM table WHERE id = '0\' OR password=\'' |
That's what should called S A F E. |
|
_________________ ch88rs,
madman |
|
|
|
Posted: Wed Aug 18, 2004 10:55 am |
|
|
Imster |
Beginner |
|
|
Joined: Aug 13, 2004 |
Posts: 3 |
|
|
|
|
|
|
|
heh thanks. Will change my habbit now |
|
|
|
|
Posted: Wed Aug 18, 2004 7:42 pm |
|
|
madman |
Active user |
|
|
Joined: May 24, 2004 |
Posts: 46 |
|
|
|
|
|
|
|
To be honest, I never rely on addslashes() function only. |
|
_________________ ch88rs,
madman |
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|