Geek Answers Handbook

Are sql-injection multi-line queries safe?

This may be a dumb question. Or maybe my hacking skills are limited (I don't practice them at all).

I have a query that looks like this:

<?php
$query =<<<eot
    SELECT      table_x.field1,
                table_x.field2,
                table_y.*,
                table_z.field4
    FROM        (
                    SELECT ...
                ) as table_y
    LEFT JOIN   table_x
    ON          table_x.field1 = table_y.field_x
    LEFT JOIN   table_z
    ON          table_z.field1 = table_y.field_z
    WHERE       table_x.field3 = '$something'
    AND         table_z.field4 = '1'
    AND         table_z.field5 = '2'
eot;
?>

I have many other tests on $somethingbefore it will be used, for example $something = explode(' ',$something);(which will lead to a string later) none of them intend to prevent the injection, but they make it difficult to get this injection as it is the actual request. However, there are ways. We all know how easy it is to replace space for something else that is still relevant.

So, this is not a problem to make the potentially harmful part of SQL achieve this $something... But is there a way to comment on the rest of the original query string if it is multi-line?

AND table_z.field4 = '1' ;--, AND table_z.field5 = '2'

/* - , , ?

+5
4

. , SELECT * FROM my_table WHERE 1 = 1.

+4
$something = "'; DROP TABLE table_x; SELECT * FROM table_z WHERE '1' = '1";
+5

@Techpriester: , .

http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html (old version, same)

PDO is a database abstraction layer that “prepares statements”, but a prepared statement is something else entirely!

+2
source

More articles:


All Articles