I am still researching SQL injection, but always the easiest way for me personally was using good examples, making this a part of my code:
$sql = "INSERT INTO `comments` (`id`, `idpost`, `comment`, `datetime`, `author`, `active`) VALUES (NULL, '" . addslashes($_POST['idcomment']) . "', '" . addslashes($_POST['comment']) . "', NOW(), '" . addslashes($_POST['name']) . "', '1');"; mysql_query($sql);
Understanding that all of the Publish vars are joined through the user, are you able to show me how do i make a shot for this script? in order to understand much more about this vulnerability. Thanks!
my database server is MySQL.
addslashes(), always employ
mysql_real_escape_string(). You will find known edge cases where addslashes() is not enough.
If beginning new things on your own, best make use of a database wrapper that supports prepared claims like PDO or mysqli.
The majority of the other solutions appear to possess skipped the purpose of this entirely.
Nevertheless, according to your example above (and despite your code not following a best practice utilization of
mysql_real_escape_string()) it's beyond my capability to inject anything truly harmful whenever you take advantage of
However, should you omit it, a person could enter a string in to the
name area that appears something similar to:
some name'; DROP TABLE comments; --
The aim would be to finish the present statement, after which execute your personal.
-- is really a comment and it is accustomed to make certain nothing that will normally come following the injected string is processed.
However (again), it is indeed my knowning that MySQL automatically instantly shuts the DB connection in the finish of merely one statement's execution. So even when Used to do get to date as to drop a table, MySQL would cause that second statement to fail.
But this is not the only real kind of SQL injection, I recommend reading through up more around the subject. My research switched up this document from dev.mysql.com that is very good: http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf
Edit, another thought:
/* little code cleanup */ $idcomment = intval($_POST['idcomment']); $comment = mysql_real_escape_string($_POST['comment']); $name = mysql_real_escape_string($_POST['name']); $sql = "INSERT INTO comments (idpost, comment, datetime, author, active) VALUES ($idcomment, '$comment', NOW(), '$name', 1)"; mysql_query($sql);