Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 General SQL Server Forums
 Data Corruption Issues
 SQL Injection

Author  Topic 

danny_sql
Starting Member

3 Posts

Posted - 2009-06-22 : 07:34:39
Hi

I have a quick question about SQL injection:

A user inserts a new post on our PHP based website into our MySQL database, which we correctly filter for SQL injection using mysql_real_escape_string(). This data is now inserted into TABLE newposts in our database.

Say for example that for whatever reason the data is transferred to a new table liveposts:

$pull = "SELECT * FROM newposts WHERE id='5'";
$pq = mysql_query($pull);
$sr = mysql_fetch_assoc($pq);

$add = "INSERT INTO liveposts (date,name,email,post) VALUES ('$sr[date]','$sr[name]','$sr[email]','$sr[post]')";

If the data that was originally inserted into the table newposts was an SQL injection attack that we correctly filtered using mysql_real_escape_string() - would I need to filter $sr[post] also, so enclose the data as '"mysql_real_escape_string($sr['post'])."' - or is data that is being copied/transferred from a MySQL table safe from SQL injection attacks?

Thanks in advance for your help.

Lumbago
Norsk Yak Master

3271 Posts

Posted - 2009-06-22 : 10:25:37
Well...the way to make sure was to copy directly instead of going through the webserver:

pull = "INSERT INTO liveposts (date,name,email,post) SELECT * FROM newposts WHERE id='5'";

If you do it your way it all depends on what the mysql_real_escape_string really does to the data. You should try just to make sure...

- Lumbago
Go to Top of Page

Lumbago
Norsk Yak Master

3271 Posts

Posted - 2009-06-22 : 10:27:10
Please also notice that this is a MS SQL Server forum so any questions you might have regarding MySQL might not get answered. We'll probably do our best though

- Lumbago
Go to Top of Page

danny_sql
Starting Member

3 Posts

Posted - 2009-06-22 : 11:42:28
Thanks for your help.

I would use:

$pull = "INSERT INTO liveposts (date,name,email,post) SELECT * FROM newposts WHERE id='5'";

where possible, but sometimes I am only using certain fields, and so this is not always possible.

Can anyone confirm whether or not the SQL injection risk would still stand when using the query as above:

$add = "INSERT INTO liveposts (date,name,email,post) VALUES ('$sr[date]','$sr[name]','$sr[email]','$sr[post]')";

?

Many Thanks
Go to Top of Page

Lumbago
Norsk Yak Master

3271 Posts

Posted - 2009-06-23 : 02:19:37
quote:
where possible, but sometimes I am only using certain fields, and so this is not always possible.
$pull = "INSERT INTO liveposts (date,name,email,post) SELECT date,name,email,post FROM newposts WHERE id='5'";

But if the syntax you're using is correct I believe you would be safe but I'm not sure. Shouldn't the syntax be more like this? ->

$add = "INSERT INTO liveposts (date,name,email,post) VALUES ('" + $sr[date] + "','" + $sr[name] + "','" + $sr[email] + "','" + $sr[post] + "')";

I think you'd be better off asking this in a PHP forum...it all depends on how PHP handles the parameters to the query.

- Lumbago
Go to Top of Page

danny_sql
Starting Member

3 Posts

Posted - 2009-06-23 : 08:11:26
Thanks for your help Lumbago. I'll double check this in a PHP/MySQL forum.
Go to Top of Page
   

- Advertisement -