Vulnerability with MySQL error

Question

I have no idea about PHP security, but if I add an ' to the input in my POST method form.

I'm getting the following message:

Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /usr/local/www/login.php

Is that a SQL injection? If so, how it can be abused by the "hackers" ?

Answer 1

You should escape any user input before passing it to mysql. Use the PHP function mysql_real_escape_string() to escape any user input before adding it to your query. Here is the link to PHP manual for mysql_real_escape_string()

Update: Yes, what others are saying about using prepared statements or mysqli is much better that using the mysql extension.

Here are a few links on MySQL Injection which I found:

• http://www.php.net/manual/en/security.database.sql-injection.php
• http://25yearsofprogramming.com/blog/2011/20110205.htm
• https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

Answer 2

That means you're vulnerable to SQL injection, and your code is not doing sufficient checking for errors.

An absolute barebones "safe" bit of code would be:

<?php
... connect to db ...
$stringval = mysql_real_escape_string($_GET['param']);
$sql = "SELECT somefield FROM sometable WHERE otherfield='$stringval'";
$result = mysql_query($sql) or die(mysql_error());

better yet is to stop using the mysql functions and switch to PDO and parameterized queries. They handle the injection problems for you automatically.

The root cause of your error message is that your query has caused a syntax error. When a query fails outright like that, mysql_query() returns a boolean FALSE value, not a statement handle.

Since you lack any kind of error checking, you blindly took that boolean false and passed it on to the fetch function, which has rightfully complained that you didn't provide a result handle.