Menu
I have tried and tried to achieve an SQL injection by making custom queries to the server outside of firefox.
Inside the php, all variables are passed into the query in a string like this.
Note, by this stage, $_POST has not been touched.
mysql_query('INSERT INTO users (password, username) VALUES(' . sha1($_POST['password']) . ',' . $_POST['username'] . '));
Is that a secure way to make a change?
551
You should definitely escape the username with mysql_real_escape_string.
Of course the best solution would be to use prepared statements. That way the separation of query syntax and data is made on the mysql API level.
And, as others pointed out, values should absolutely be surrounded with quotes. Especially the text ones.
186
what you are doing there is dangerous since someone can send a POST request with an evil user name. you can either check every parameter and escape it, additionally you could use mysqli (http://php.net/manual/en/book.mysqli.php), and bind the parameters using prepare+bind.
the first step is good to avoid exploits on other users, while the second is good for your server side safety.
also check out this question: How do you prevent SQL injection in LAMP applications?
28
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
