Geek Answers Handbook

Is this query vulnerable to SQL injection?

$myq = sprintf("select user from table where user='%s'", $_POST["user"]);

I would like to know if the query described above can be used with SQL injection. Is there any advanced SQL injection technology that could break sprintffor this particular query?

+5
source share
8 answers

I don't think this should be particularly advanced ... try typing

' OR 1 = 1 OR user='

In other words, you get SQL:

select user from table where user='' OR 1 = 1 OR user=''

Does this look like a query that you really want to fulfill? (Now consider the possibility of deleting tables instead, or something similar.)

The bottom line is that you should use a parameterized query.

+25
source

sprintf , . sprintf , , PHP. sprintf , %s:

$str = implode('', range("\x00", "\xFF"));        // string of characters from 0x000xFF
var_dump(sprintf("'%s'", $str) === "'".$str."'"); // true

, , ( MySQL, , youre MySQL), **mysql_real_escape_string**:

$myq = sprintf("select user from table where user='%s'", mysql_real_escape_string($_POST["user"]));
+8

, , :)

: \x00, \n, \r, \, ', " \x1a. sprintf() , sprintf() , , .

ARE , , - magic quotes ( Rob ), sprintf(). , .

+8

$_POST [ "user" ] "'; SHUTDOWN;" - ?

+4

, !:)
magic quotes !

, magic_quotes_gpc ini off mysql_real_escape_string, .

+1

, .

PHP, , :

$inUser = $_POST['user'];
$outUser = filter_var($inUser, FILTER_SANITIZE_STRING);

HTML- .

, :

$inUser = $_POST['user'];
$outUser = mysqli_real_escape_string($conn, $inUser);

MySQL, , ..

, :

$sql = "SELECT user FROM table WHERE user = ?";
$stmt = $pdo->prepare($sql);
$params = array($outUser);
$stmt->execute($params);

.. , SQL-.

.

+1
$_POST["user"] = "' or 1=1 or user='"
0

.

- :

'; delete * from table
0

More articles:


All Articles