Reputation: 3392
Bypassing mysql_real_escape_string's protection
Some dude challenged me to sql-inject his code. He said the PHP function in the title should suffice for this case.
$var = 'my malevolent input will be in here';
$var = mysql_real_escape_string($var);
$sql = "SELECT * FROM `users` WHERE `id` = '$var'";
mysql_query($sql);
I can't seem to bypass the single-quote escaping. What should I use as a value for $var? Can I use something?
Thanks, as always
Upvotes: 1
Views: 5440
Answers (3)
Reputation: 2670
You have an error in code:
$sql = "SELECT * FROM 'users' WHERE 'id' = '$var'";
Should be
$sql = "SELECT * FROM 'users' WHERE 'id' = '".$var."'";
If you a not sure if id is an integer or a string.
If you are sure that id is always an integer, then:
$sql = "SELECT * FROM 'users' WHERE 'id' = ".intval($var)
And you will be safe with mysql_real_escape_string(); ^_^
Upvotes: 0
Reputation: 655239
No, using mysql_real_escape_string is considered to be safe for any input unless the character encoding is not set properly by using mysql_client_encoding.
Upvotes: 2
Reputation: 449425
While there may be esoteric exploits in certain server versions under certain conditions and such, as far as I know, using mysql_real_escape_string() in this way is generally considered safe.
Upvotes: 2
Related Questions
- SQL injection that gets around mysql_real_escape_string()
- PHP code vulnerable to SQL injection: how to work with `mysql_real_escape_string()`?
- Why mysql_real_escape_string() shouldn't avoid any SQL Injection?
- Correct usage of Mysql real escape strings
- using mysql_real_escape_string in blind code
- PHP Protect query from mysql Injection.
- PHP's mysql_real_escape_string and MySQL Injection
- Sql injection mysql_real_escape_string
- Understading mysql_real_escape_string();
- Am I using mysql_real_escape_string right?