tags:

views:

277

answers:

3
Q: 

Sql injection attempt PHP 5.2.6

Using PHP 5.2.6 in XAMPP :
I read about sql injections here and tried that with the following login form : 

<html><body>
     <form method='post' action='login.php'>
      <input type='text' name='user'/>
      <input type='text' name='pass'/>
      <input type='submit'/>
     </form>
</body></html>

and php code : 

<?php
$user = $_POST['user'];
$pass = $_POST['pass'];
$query = "Select * from users where user='$user' AND pass='$pass'";
echo $query;
mysql_connect('localhost','root','');
mysql_select_db('test');
$res = mysql_query($query);
if($res) $row = mysql_fetch_assoc($res);
if($row) echo 'yes';
?>

What I found out was, the $pass variable already had all the special characters escaped. So, is there no need to use the mysql_real_escape_string in PHP 5.2.6 then?

+4  A: 

The values may be escaped due to Magic Quotes being enabled in your server configuration. Magic quotes are considered very bad, basically for the exact reason you mention. It is not safe to rely on a feature that may or may not be on to automagically escape your incoming data. It is much better to do it yourself at run time.

For more information on Magic quotes, and why they're bad, and how to disable them, take a look at a few of these SO questions/answers:

jason  2009-06-27 15:00:20
+3  A: 

No, I don't think you're right here. Whether or not php magically escapes special characters in this example, the interpreter isn't going to perform mysql specific escaping on your query args.

I think it's extremely likely that there's a vulnerability in this code.

Dana the Sane  2009-06-27 15:01:13
+2  A: 

It is likely your PHP server is configure to use Magic Quotes. A deprecated setting in PHP that automatically escapes all incoming data in a PHP script. It's deprecated and will be removed in PHP 6. Here are Zend's reasons for removing Magic Quotes.

It's better to not rely on 'magic' that makes many things work but breaks others. Explicitly escaping your input is more reliable and makes you design better code. For example, not all input needs to be escaped in the same way.

Martijn Heemels  2009-06-27 15:02:32

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases