| SitePoint Sponsor |
Okay... I'm not a malicious hacker... I'm just worried for security and idiot proofing my scripts. Are there any ways that to avoid magic quotes... ie. putting into a form field - "; delete from table; - So that when the field contents are submited it would try to empty out 'table', but it changes " to \", any way to change it?
--Odd
"We all live in a yellow subroutine."
"Some call it insanity; I call it inspiration!"
Its not possible to execute a DELETE at the end of a SELECT, but there are still numerous other exploits that can be found in many scripts. Check out my sig if you think your application needs a security evaluation.
/* Chris Lambert - chris@php.net
WhiteCrown Networks, CTO - Web Application Security
vBulletin, Security Programmer - Instant Community
*/
I just tested the following code to verify this:
and guess what happened?Code:select * from test; delete from test where email="test";
It returned the table, then deleted the record.
Granted this was just on the command line for MySQL.
Stallion, what does PHP do to prevent this?
Yes, that would happen from the command line.
PHP only allows one query, and its standard procedure to not stick the semicolon at the end of that one query. If there is a semi colon, I believe PHP will just chop off the extra statements on the end.
/* Chris Lambert - chris@php.net
WhiteCrown Networks, CTO - Web Application Security
vBulletin, Security Programmer - Instant Community
*/
Posting Permissions
Bookmarks