SQL Server Forums
Profile | Register | Active Topics | Members | Search | Forum FAQ
 
Register Now and get your question answered!
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 General SQL Server Forums
 Data Corruption Issues
 SQL Injection
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

danny_sql
Starting Member

United Kingdom
3 Posts

Posted - 06/22/2009 :  07:34:39  Show Profile  Reply with Quote
Hi

I have a quick question about SQL injection:

A user inserts a new post on our PHP based website into our MySQL database, which we correctly filter for SQL injection using mysql_real_escape_string(). This data is now inserted into TABLE newposts in our database.

Say for example that for whatever reason the data is transferred to a new table liveposts:

$pull = "SELECT * FROM newposts WHERE id='5'";
$pq = mysql_query($pull);
$sr = mysql_fetch_assoc($pq);

$add = "INSERT INTO liveposts (date,name,email,post) VALUES ('$sr[date]','$sr[name]','$sr[email]','$sr[post]')";

If the data that was originally inserted into the table newposts was an SQL injection attack that we correctly filtered using mysql_real_escape_string() - would I need to filter $sr[post] also, so enclose the data as '"mysql_real_escape_string($sr['post'])."' - or is data that is being copied/transferred from a MySQL table safe from SQL injection attacks?

Thanks in advance for your help.

Lumbago
Norsk Yak Master

Norway
3271 Posts

Posted - 06/22/2009 :  10:25:37  Show Profile  Reply with Quote
Well...the way to make sure was to copy directly instead of going through the webserver:

pull = "INSERT INTO liveposts (date,name,email,post) SELECT * FROM newposts WHERE id='5'";

If you do it your way it all depends on what the mysql_real_escape_string really does to the data. You should try just to make sure...

- Lumbago
Go to Top of Page

Lumbago
Norsk Yak Master

Norway
3271 Posts

Posted - 06/22/2009 :  10:27:10  Show Profile  Reply with Quote
Please also notice that this is a MS SQL Server forum so any questions you might have regarding MySQL might not get answered. We'll probably do our best though

- Lumbago
Go to Top of Page

danny_sql
Starting Member

United Kingdom
3 Posts

Posted - 06/22/2009 :  11:42:28  Show Profile  Reply with Quote
Thanks for your help.

I would use:

$pull = "INSERT INTO liveposts (date,name,email,post) SELECT * FROM newposts WHERE id='5'";

where possible, but sometimes I am only using certain fields, and so this is not always possible.

Can anyone confirm whether or not the SQL injection risk would still stand when using the query as above:

$add = "INSERT INTO liveposts (date,name,email,post) VALUES ('$sr[date]','$sr[name]','$sr[email]','$sr[post]')";

?

Many Thanks
Go to Top of Page

Lumbago
Norsk Yak Master

Norway
3271 Posts

Posted - 06/23/2009 :  02:19:37  Show Profile  Reply with Quote
quote:
where possible, but sometimes I am only using certain fields, and so this is not always possible.
$pull = "INSERT INTO liveposts (date,name,email,post) SELECT date,name,email,post FROM newposts WHERE id='5'";

But if the syntax you're using is correct I believe you would be safe but I'm not sure. Shouldn't the syntax be more like this? ->

$add = "INSERT INTO liveposts (date,name,email,post) VALUES ('" + $sr[date] + "','" + $sr[name] + "','" + $sr[email] + "','" + $sr[post] + "')";

I think you'd be better off asking this in a PHP forum...it all depends on how PHP handles the parameters to the query.

- Lumbago
Go to Top of Page

danny_sql
Starting Member

United Kingdom
3 Posts

Posted - 06/23/2009 :  08:11:26  Show Profile  Reply with Quote
Thanks for your help Lumbago. I'll double check this in a PHP/MySQL forum.
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
SQL Server Forums © 2000-2009 SQLTeam Publishing, LLC Go To Top Of Page
This page was generated in 0.09 seconds. Powered By: Snitz Forums 2000