Find solution
How will this affect chances of preventing SQL injection?

How will this affect chances of preventing SQL injection?

  • I have posted about this before but never in this regard so please take a look: I was told one way to do sql injections was to use 1=1 where someone can see all entries that don't belong to them. But lets say i structure my query so that it also selects the user_id of the current user, would that work: $userid = Current users stored id in database; $postid = mysql_real_escape_string($_GET['id']); And now lets assume that i enter: domain.com/page.php?id='' OR '1'='1' Select article_name from table where user_id=$userid and post_id=$postid Will the query still return everything or will it not since i have added the User_id barrier?

  • Answer:

    mysql_real_escape_string() is for sanitizing strings only. It does NOT protect from SQL injection in integers that are not wrapped in quotes, so your observation is correct: What is shown above is indeed not safe despite mysql_real_escape_string(). You need to either wrap your values in quotes: Select article_name from table where user_id='$userid' and post_id='$postid' or make sure that $userid and $postid are integers before running the query.

Sam Khan at Stack Overflow Visit the source

Was this solution helpful to you?

Other answers

If you use PDO you don't have to worry about escaping data (in this situation): $stmt = $pdo->prepare('SELECT article_name FROM table WHERE user_id = :userid AND post_id = :postid'); $stmt->execute(array( ':userid' => $userid, ':postid' => intval($_GET['id']) //Just to be safe )); // You could also do this instead (thanks @Digital Precision) //$stmt->bindValue(':postid', $_GET['id'], PDO::PARAM_INT); //$stmt->execute(array(':userid' => $userid)); while($row = $stmt->fetch()) { //Work with data } For more on PDO see the http://www.php.net/pdo. The problem with using http://www.php.net/mysql_real_escape_string is that as its name suggests it only escapes strings. It escapes the characters that can be used to terminate a string so that an attacker can't close a string and enter malicious SQL. If you are stubborn and refuse to use PDO, you could use a function like http://www.php.net/intval on any unsanitized integers to ensure they contain only numbers. $post_id = intval($_GET['id']); //Now $post_id can only be a number

PhpMyCoder

Not sure what you mean by "I was told one way to do sql injections was to use 1=1 where someone can see all entries that don't belong to them". 1=1 always evaluates to true. I've only ever seen this done when the query being generated by the application has only conditional where clauses with no root where clause. Not sure what it has to do with protecting you from sql injections.

Mike Purcell

Your query would look like: Select article_name from table where user_id=$userid and post_id=\'\' OR \'1\'=\'1\' As other mention while i typing this, it is better to quote your values. So you will have: Select article_name from table where user_id=$userid and post_id='\'\' OR \'1\'=\'1\'' This returns nothing, if there is not a post with such id. So your query will not return every post from the current user. But keep in mind to quote your values.

akDeveloper

Related Q & A:

Just Added Q & A:

Find solution

For every problem there is a solution! Proved by Solucija.

  • Got an issue and looking for advice?

  • Ask Solucija to search every corner of the Web for help.

  • Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.