Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
danny_sql
Starting Member
3 Posts |
 Posted - 2009-06-22 : 07:34:39
|
| HiI have a quick question about SQL injection:A user inserts a new post on our PHP based website into our MySQL database, which we correctly filter for SQL injection using mysql_real_escape_string(). This data is now inserted into TABLE newposts in our database.Say for example that for whatever reason the data is transferred to a new table liveposts:$pull = "SELECT * FROM newposts WHERE id='5'";$pq = mysql_query($pull);$sr = mysql_fetch_assoc($pq);$add = "INSERT INTO liveposts (date,name,email,post) VALUES ('$sr[date]','$sr[name]','$sr[email]','$sr[post]')";If the data that was originally inserted into the table newposts was an SQL injection attack that we correctly filtered using mysql_real_escape_string() - would I need to filter $sr[post] also, so enclose the data as '"mysql_real_escape_string($sr['post'])."' - or is data that is being copied/transferred from a MySQL table safe from SQL injection attacks?Thanks in advance for your help. |
|
|
Lumbago
Norsk Yak Master
3271 Posts |
Posted - 2009-06-22 : 10:25:37
|
| Well...the way to make sure was to copy directly instead of going through the webserver:pull = "INSERT INTO liveposts (date,name,email,post) SELECT * FROM newposts WHERE id='5'";If you do it your way it all depends on what the mysql_real_escape_string really does to the data. You should try just to make sure...- Lumbago |
 |
|
|
Lumbago
Norsk Yak Master
3271 Posts |
Posted - 2009-06-22 : 10:27:10
|
Please also notice that this is a MS SQL Server forum so any questions you might have regarding MySQL might not get answered. We'll probably do our best though  - Lumbago |
|
|
|
danny_sql
Starting Member
3 Posts |
Posted - 2009-06-22 : 11:42:28
|
| Thanks for your help.I would use:$pull = "INSERT INTO liveposts (date,name,email,post) SELECT * FROM newposts WHERE id='5'";where possible, but sometimes I am only using certain fields, and so this is not always possible.Can anyone confirm whether or not the SQL injection risk would still stand when using the query as above:$add = "INSERT INTO liveposts (date,name,email,post) VALUES ('$sr[date]','$sr[name]','$sr[email]','$sr[post]')";?Many Thanks |
|
|
|
Lumbago
Norsk Yak Master
3271 Posts |
Posted - 2009-06-23 : 02:19:37
|
quote:
where possible, but sometimes I am only using certain fields, and so this is not always possible.
$pull = "INSERT INTO liveposts (date,name,email,post) SELECT date,name,email,post FROM newposts WHERE id='5'";But if the syntax you're using is correct I believe you would be safe but I'm not sure. Shouldn't the syntax be more like this? ->$add = "INSERT INTO liveposts (date,name,email,post) VALUES ('" + $sr[date] + "','" + $sr[name] + "','" + $sr[email] + "','" + $sr[post] + "')";I think you'd be better off asking this in a PHP forum...it all depends on how PHP handles the parameters to the query.- Lumbago |
|
|
|
danny_sql
Starting Member
3 Posts |
Posted - 2009-06-23 : 08:11:26
|
| Thanks for your help Lumbago. I'll double check this in a PHP/MySQL forum. |
|
|
|
|
|
|
|
|
SQL Injection