Is there an SQL injection possibility even when using mysql_real_escape_string() function?
Consider this sample situation. SQL is constructed in PHP like this:
$login = mysql_real_escape_string(GetFromPost('login')); $password = mysql_real_escape_string(GetFromPost('password')); $sql = "SELECT * FROM table WHERE login='$login' AND password='$password'";
I have heard numerous people say to me that a code like that is still dangerous and possible to hack even with mysql_real_escape_string() function used. But I cannot think of any possible exploit?
Classic injections like this:
aaa' OR 1=1 --
do not work.
Do you know of any possible injection that would get through the PHP code above?
Concider the following query:
$iId = mysql_real_escape_string("1; DROP table"); $sSql = "SELECT * FROM table WHERE id = $iId";
mysql_real_escape_string will not protect you against this. The fact that you use single quotes '' around your variables inside your query is what protects you against this. The following is also an option:
$iId = (int)mysql_real_escape_string("1; DROP table"); $sSql = "SELECT * FROM table WHERE id = $iId";
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki