tags:

views:

181

answers:

4
+2  Q: 

Are multiline queries sql-injection safe?

This might be a stupid question. Or maybe my hacking skills are limited (I don't practice them at all).

I have a query that looks like this:

<?php
$query =<<<eot
    SELECT      table_x.field1,
                table_x.field2,
                table_y.*,
                table_z.field4
    FROM        (
                    SELECT ...
                ) as table_y
    LEFT JOIN   table_x
    ON          table_x.field1 = table_y.field_x
    LEFT JOIN   table_z
    ON          table_z.field1 = table_y.field_z
    WHERE       table_x.field3 = '$something'
    AND         table_z.field4 = '1'
    AND         table_z.field5 = '2'
eot;
?>

I have a lot of other tests on $something before it gets used, like $something = explode(' ',$something); (which later result in a string) none of them intend to prevent injection but they make it hard for the given injection to get as is to the actual query. However, there are ways. We all know how easy it is to replace a space for something else which is still valid..

So, it's not really a problem to make a potentially harmful piece of SQL reach that $something... But is there any way to comment the rest of the original query string if it is multi-line?

I can comment AND table_z.field4 = '1' using ;-- but can't comment the following AND table_z.field5 = '2'

Is it possible to open a multi-line comment /* without closing it or something looked like and therefore allow the injection to ignore the multi-line query?

+2  A: 

It's not safe. Even if it can't comment out the rest, it could prefix it with SELECT * FROM my_table WHERE 1=1.

Adam Crume  2010-06-01 17:37:02
Thanks Adam, you're right. It's easy to hack this multi-line query. Shame on me for failing to see that option.This is however an example and my situation is a little more complicated. Since I failed to explain myself I will accept your answer as correct.
acmatos  2010-06-01 17:47:26
+4  A:  
$something = "'; DROP TABLE table_x; SELECT * FROM table_z WHERE '1' = '1";
BlueRaja - Danny Pflughoeft  2010-06-01 17:37:44
+2  A: 

Use prepared statements to be safe:

http://www.php.net/manual/en/pdo.prepare.php

String interpolation always has the risk of code injection if your input is not sufficiently cleaned.

Removing the possibility to execute arbitrary code is the easier AND much safer way.

Techpriester  2010-06-01 17:45:37
+1 This is really the only correct answer. "Cleaning" yourself is only as good as your knowledge of SQL injection. Let the database/tested ORM handle it for you.
richsage  2010-06-01 17:49:05
+2  A: 

@Techpriester: that's not what a prepared statement is.

http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html (old version, same thing)

PDO is a database abstraction layer that "prepares statements", but a prepared statement is something entirely different!

Entendu  2010-06-01 19:41:31
PDO emulates prepared statements by default, but you can turn this mode off `$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);` Watch your MySQL general query log and see it working!
Bill Karwin  2010-06-01 19:58:55

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases