I am still researching SQL injection, but always the easiest way for me personally was using good examples, making this a part of my code:

$sql = "INSERT INTO `comments` (`id`, `idpost`, `comment`, `datetime`, `author`, `active`) 
        VALUES (NULL, '" . addslashes($_POST['idcomment']) . "', '" . 
        addslashes($_POST['comment']) . "', NOW(), '" . 
        addslashes($_POST['name']) . "', '1');";

  mysql_query($sql);

Understanding that all of the Publish vars are joined through the user, are you able to show me how do i make a shot for this script? in order to understand much more about this vulnerability. Thanks!

my database server is MySQL.

Avoid using addslashes(), always employ mysql_real_escape_string(). You will find known edge cases where addslashes() is not enough.

If beginning new things on your own, best make use of a database wrapper that supports prepared claims like PDO or mysqli.

The majority of the other solutions appear to possess skipped the purpose of this entirely.

Nevertheless, according to your example above (and despite your code not following a best practice utilization of mysql_real_escape_string()) it's beyond my capability to inject anything truly harmful whenever you take advantage of addslashes().

However, should you omit it, a person could enter a string in to the name area that appears something similar to:

some name'; DROP TABLE comments; --

The aim would be to finish the present statement, after which execute your personal. -- is really a comment and it is accustomed to make certain nothing that will normally come following the injected string is processed.

However (again), it is indeed my knowning that MySQL automatically instantly shuts the DB connection in the finish of merely one statement's execution. So even when Used to do get to date as to drop a table, MySQL would cause that second statement to fail.

But this is not the only real kind of SQL injection, I recommend reading through up more around the subject. My research switched up this document from dev.mysql.com that is very good: http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf


Edit, another thought:

Based on what goes on towards the data once it is going towards the database, I might not need to inject any SQL whatsoever. I might want to inject some HTML/JavaScript that will get run whenever you publish the information back to a web page inside a Cross-Site Scripting (XSS) attack. Also is something to understand.

As stated before, for strings, use mysql_real_escape_string() rather than addslashes() but for integers, use intval().

/* little code cleanup */

$idcomment = intval($_POST['idcomment']);
$comment = mysql_real_escape_string($_POST['comment']);
$name = mysql_real_escape_string($_POST['name']);

$sql = "INSERT INTO comments (idpost, comment, datetime, author, active)
        VALUES ($idcomment, '$comment', NOW(), '$name', 1)";

mysql_query($sql);