php, html mysql &#39;select * from table&#39; 解释为<select></select>选项框

Question

I've just hit a weird display issue.

I have an ecommerce site which allows the user to add free text in a description field. This value is stored in an mysql database and later read out to the screen in a description.

During some testing I've found that if the user puts 'select * from table' it is stored and returned correctly but the html is turning it into

<span class="idesc break-word">TESTING TESTING %$#$!OIUOQI#UQO@)( <select *="" from="" table=""></select></span>

which in turn appears as an empty select drop down box.

I already use ? bind variables in the php to mysql code so firstly:

1. Is there something else I should be doing to protect against dodgy data entry?
2. Is this indicative that I could be open to other such attacks?

Answer 1

If values of the field that was created in that manner are being passed further down he application and can end up sent to database than yes you are open to SQL injection attacks.

Is there some code that is looking for "select" and decides that a field should be created from that? If yes, that looks somewhat dangerous and there could be more areas where this ecommerce app makes potentially dangerous decisions.

Binding is a good step in preventing unexpected data types from being entered, but going a step further like limiting some characters eg ;<> is also a good way. What worries me with your example is that you were not expecting a select field, but got one; that means that once broken that mechanism could be further exploited to interact with your database.