SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Member
    Join Date
    Aug 2002
    Location
    Slovenia
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Safe from SQL Injection with magic_quotes_gpc on?

    Hello

    I use PHP/MySQL. For example I have script, which has SQL statement like this in it: SELECT * FROM xyz WHERE='$_GET['id']' and magic quotes are on.

    Is this vulnerable? And what can cracker do, if he can? (erase, change data?)

  2. #2
    Mlle. Ledoyen silver trophy seanf's Avatar
    Join Date
    Jan 2001
    Location
    UK
    Posts
    7,168
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You need to make sure the id is not doing anything naughty! I'm not sure if this would work, or if this is the correct code p), but a user could change id to something like this and try and drop the database (if they knew the name):

    1;DROP DATABASE name_of_your_db

    One thing you should do is make sure the data is the correct type, id is probably an integer, so make sure:

    PHP Code:
    $id = (int) $_GET['id']; 
    If id is anything other than an integer it will be given the value 0 and can't do any harm

    Sean
    Harry Potter

    -- You lived inside my world so softly
    -- Protected only by the kindness of your nature

  3. #3
    The doctor is in... silver trophy MarcusJT's Avatar
    Join Date
    Jan 2002
    Location
    London
    Posts
    3,509
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    See this thread for info on SQL Injection attacks (including some links to MySQL-specific pages, as far as I remember):
    http://www.sitepointforums.com/showt...threadid=60643
    MarcusJT
    - former ASP web developer / former SPF "ASP Guru"
    - *very* old blog with some useful ASP code

    - Please think, Google, and search these forums before posting!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •