Is this query vulnerable to sql injection?

Question

$myq = sprintf("select user from table where user='%s'", $_POST["user"]);

I would like to know if the above query can be exploited using SQL injection. Is there any advanced SQL injection technique that could break sprintf for this particular query?

Answer 1

I don't think it needs to be particularly advanced... try an input of

' OR 1 = 1 OR user='

In other words, you'll get SQL of:

select user from table where user='' OR 1 = 1 OR user=''

Does that look like a query you really want to execute? (Now consider the possibility of it dropping tables instead, or something similar.)

The bottom line is that you should be using a parameterised query.

Answer 2

Yes, I'd say you have a potential problem there :)

You need to escape: \x00, \n, \r, \, ', " and \x1a. sprintf() does not do that, sprintf() does no modification to strings, it just expands whatever variadic arguments that you give it into the buffer that you provide according to the format that you specify.

If the strings ARE being transformed, its likely due to magic quotes (as Rob noted in Comments), not sprintf(). If that is the case, I highly recommend disabling them.