Is SQL injection (oneliner) safe?

Question

Is SQL injection (oneliner) safe?

PHP:

$ SQL = "SELECT goodies FROM stash WHERE secret = '".  
    str_replace ("'",' ', $ _ POST [' secret ']).  
"'";

Can an evil genius hacker embed SQL in my SELECT - How?

+5

security php mysql sql-injection

T4NK3R Aug 14 '10 at 20:01

source share

4 answers

mysql_real_escape_string() ? .

+14

Hanse 14 . '10 20:03

May be. The best way:

$query = sprintf("SELECT goodies FROM stash WHERE secret='%s'",
addcslashes(mysql_real_escape_string($_POST['secret']),'%_'));

0

barroco Aug 14 '10 at 20:06

source share

Why just do not use mysql_escape_string? And yes, he could add "instead 'and plus, this request will give you an error, I think.

-1

good_evening Aug 14 '10 at 20:04

source share

Mark Byers · Accepted Answer · 2010-08-14T20:27:02+0000

I had some time to think about it, and I see no way to embed SQL in this statement.

SQL, , , (\' ''). , . , , SQL-.

:

.
- escape-.
, - .
, SQL-.

:

$SQL = "SELECT goodies FROM stash WHERE secret='" .  
    str_replace("'",'',$_POST['secret']) .  
"' AND secret2 = '" .
    str_replace("'",'',$_POST['secret2']) .  
"'";

\ OR 1 = 1 --, :

SELECT goodies FROM stash WHERE secret='\' AND secret2=' OR 1 = 1 -- '

MySQL :

SELECT goodies FROM stash WHERE secret='...' OR 1 = 1

, , SQL.

, , . SQL-.

Is SQL injection (oneliner) safe?

More articles: