|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2008-09-30 09:20 UTC] olafvdspek at gmail dot com
[2008-09-30 10:26 UTC] pablo dot angulo at uam dot es
[2008-11-02 17:16 UTC] danbrown@php.net
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Oct 26 07:00:01 2025 UTC |
Description: ------------ mysql_real_escape_string documentation gives the false impression that its use alone will prevent mysql attacks and unauthorized access to the database in all circumstances. For numeric columns, mysql_real_escape_string is not enough. example: $user=mysql_real_escape_string($_GET['user']); $pass=mysql_real_escape_string($_GET['pass']); $id=mysql_real_escape_string($_GET['id']); $query="SELECT x FROM t WHERE user='$user' AND pass='$pass' id=$id"; mysql_query("query); is susceptible to the attack http:example.com/index.php?id=1 OR 1=1 because mysql_real_escape_string does not escape whitespace. The check is_numeric($id) is a solution to the above, putting the number between quotes in the query also is, and using sprintf is another solution, but the documentation does not suggest any of those should be used. There should be at least a pointer to: http://php.net/manual/en/security.database.sql-injection.php so that we newbies know this is not a trivial issue.