Can I be hacked with this code?

Question

Can I be hacked with this code?

I bought a script that has some weird code in it. I'm a beginner at PHP, but I know a little about things like sanitizing input.

This is the code:

<form action="sendpass.php" method="post" id="sendpassform"> <input type="text" name="email" /> <input type="submit" name="sendpass" value="Send" /> </form> ?> ... if($_REQUEST['email'] != ''){ $email = $_REQUEST['email']; $k = mysql_query("SELECT * FROM users WHERE email='".$email."'") or die(mysql_error()); $result= mysql_fetch_array($k); .... }

What is interesting to me is if someone can hack a site using this form because the email field is simply passed directly to SQL with any escaping ...

+6

security php mysql

Rebeccablack Apr 4 '11 at 16:20

source share

7 answers

Daniel A. White · Answer 1 · 2011-04-04T16:22:21+0000

Yes. This is called SQL injection. Any values provided by the user are directly included in the SQL statement, this is an opportunity.

Oscar Gomez · Answer 2 · 2011-04-04T16:23:01+0000

Yes, pretty easy with SQL injection.

Adam casey · Answer 3 · 2011-04-04T16:23:33+0000

You should use $email = mysql_real_escape_string($_REQUEST['email']);

This should prevent any SQL injection attacks.

To answer your question, it is possible, but whether there is any damage or not, depends on what you do with the data received from MySQL (not shown)

pzirkind · Answer 4 · 2011-04-04T16:32:27+0000

The short answer is yes, although I cannot let you play how this happens; I do not have enough information about the structure of the database, and I do not want to know. :)

There are some very simple steps you can take to make your code more secure:

$email = mysqli_real_escape_string($database_connection, $_REQUEST['email')
this eliminates any dangerous characters that could adversely affect the SQL string
$email = mysqli_real_escape_string($database_connection, trim($_REQUEST['email'))
in this step, we added a trim function that displays any spaces - which are used to launch SQL injection attacks

If you need more information on SQL / Programming security, I would suggest the following books:

Head Firs PHP and MySQL (for beginners it's really good)
Hacking open web applications 3rd Edition good luck do not hesitate to ask any questions that you may have.

Femaref · Answer 5 · 2011-04-04T16:23:08+0000

This should be indicated as a simple example for the possibility of SQL injection. Of course, you need to avoid the $email variable.

mbanzon · Answer 6 · 2011-04-04T16:24:41+0000

The $ email variable is reset when used in SQL. But the contents of a variable can be escape characters and other SQL. This can lead to someone starting an arbitrary SQL query on the server.

Demento · Answer 7 · 2011-04-04T17:44:39+0000

This looks like an example from the sql-injection tutorial. If you need to integrate user input into a database query, you should always consider the following two security measures. Both should be applied, if possible, just in case:

Use prepared statements (if your database driver supports this)
Perform input validation

You should only use input if this is believable. The regular expression for checking the email address is something like this (taken from ESAPI, enterprise security API):

 ^[A-Za-z0-9._%-] +@ [A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$

Can I be hacked with this code?

More articles: