Sql injection attempt PHP 5.2.6
Question
Using PHP 5.2.6 in XAMPP :
I read about sql injections here and tried that with the following login form :
<html><body>
<form method='post' action='login.php'>
<input type='text' name='user'/>
<input type='text' name='pass'/>
<input type='submit'/>
</form>
</body></html>
and php code :
<?php
$user = $_POST['user'];
$pass = $_POST['pass'];
$query = "Select * from users where user='$user' AND pass='$pass'";
echo $query;
mysql_connect('localhost','root','');
mysql_select_db('test');
$res = mysql_query($query);
if($res) $row = mysql_fetch_assoc($res);
if($row) echo 'yes';
?>
What I found out was, the $pass variable already had all the special characters escaped. So, is there no need to use the mysql _ real _ escape _ string in PHP 5.2.6 then?
3 answers
solution1
4 2009-06-27 15:00:20
The values may be escaped due to Magic Quotes being enabled in your server configuration. Magic quotes are considered very bad, basically for the exact reason you mention. It is not safe to rely on a feature that may or may not be on to automagically escape your incoming data. It is much better to do it yourself at run time.
For more information on Magic quotes, and why they're bad, and how to disable them, take a look at a few of these SO questions/answers:
solution2
3 2009-06-27 15:01:13
No, I don't think you're right here. Whether or not php magically escapes special characters in this example, the interpreter isn't going to perform mysql specific escaping on your query args.
I think it's extremely likely that there's a vulnerability in this code.
solution3
3 ACCPTED 2009-06-27 15:02:32
It is likely your PHP server is configure to use Magic Quotes . A deprecated setting in PHP that automatically escapes all incoming data in a PHP script. It's deprecated and will be removed in PHP 6. Here are Zend's reasons for removing Magic Quotes.
It's better to not rely on 'magic' that makes many things work but breaks others. Explicitly escaping your input is more reliable and makes you design better code. For example, not all input needs to be escaped in the same way.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.