Please start any new threads on our new site at http://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

Our new SQL Server Forums are live! Come on over! We've restricted the ability to create new threads on these forums.

SQL Server Forums
Profile | Active Topics | Members | Search | Forum FAQ
 
Register Now and get your question answered!
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 General SQL Server Forums
 Data Corruption Issues
 SQL Injection
 Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

danny_sql
Starting Member

United Kingdom
3 Posts

Posted - 06/22/2009 :  07:34:39  Show Profile  Reply with Quote
Hi

I have a quick question about SQL injection:

A user inserts a new post on our PHP based website into our MySQL database, which we correctly filter for SQL injection using mysql_real_escape_string(). This data is now inserted into TABLE newposts in our database.

Say for example that for whatever reason the data is transferred to a new table liveposts:

$pull = "SELECT * FROM newposts WHERE id='5'";
$pq = mysql_query($pull);
$sr = mysql_fetch_assoc($pq);

$add = "INSERT INTO liveposts (date,name,email,post) VALUES ('$sr[date]','$sr[name]','$sr[email]','$sr[post]')";

If the data that was originally inserted into the table newposts was an SQL injection attack that we correctly filtered using mysql_real_escape_string() - would I need to filter $sr[post] also, so enclose the data as '"mysql_real_escape_string($sr['post'])."' - or is data that is being copied/transferred from a MySQL table safe from SQL injection attacks?

Thanks in advance for your help.

Lumbago
Norsk Yak Master

Norway
3271 Posts

Posted - 06/22/2009 :  10:25:37  Show Profile  Reply with Quote
Well...the way to make sure was to copy directly instead of going through the webserver:

pull = "INSERT INTO liveposts (date,name,email,post) SELECT * FROM newposts WHERE id='5'";

If you do it your way it all depends on what the mysql_real_escape_string really does to the data. You should try just to make sure...

- Lumbago
Go to Top of Page

Lumbago
Norsk Yak Master

Norway
3271 Posts

Posted - 06/22/2009 :  10:27:10  Show Profile  Reply with Quote
Please also notice that this is a MS SQL Server forum so any questions you might have regarding MySQL might not get answered. We'll probably do our best though

- Lumbago
Go to Top of Page

danny_sql
Starting Member

United Kingdom
3 Posts

Posted - 06/22/2009 :  11:42:28  Show Profile  Reply with Quote
Thanks for your help.

I would use:

$pull = "INSERT INTO liveposts (date,name,email,post) SELECT * FROM newposts WHERE id='5'";

where possible, but sometimes I am only using certain fields, and so this is not always possible.

Can anyone confirm whether or not the SQL injection risk would still stand when using the query as above:

$add = "INSERT INTO liveposts (date,name,email,post) VALUES ('$sr[date]','$sr[name]','$sr[email]','$sr[post]')";

?

Many Thanks
Go to Top of Page

Lumbago
Norsk Yak Master

Norway
3271 Posts

Posted - 06/23/2009 :  02:19:37  Show Profile  Reply with Quote
quote:
where possible, but sometimes I am only using certain fields, and so this is not always possible.
$pull = "INSERT INTO liveposts (date,name,email,post) SELECT date,name,email,post FROM newposts WHERE id='5'";

But if the syntax you're using is correct I believe you would be safe but I'm not sure. Shouldn't the syntax be more like this? ->

$add = "INSERT INTO liveposts (date,name,email,post) VALUES ('" + $sr[date] + "','" + $sr[name] + "','" + $sr[email] + "','" + $sr[post] + "')";

I think you'd be better off asking this in a PHP forum...it all depends on how PHP handles the parameters to the query.

- Lumbago
Go to Top of Page

danny_sql
Starting Member

United Kingdom
3 Posts

Posted - 06/23/2009 :  08:11:26  Show Profile  Reply with Quote
Thanks for your help Lumbago. I'll double check this in a PHP/MySQL forum.
Go to Top of Page
  Previous Topic Topic Next Topic  
 Reply to Topic
 Printer Friendly
Jump To:
SQL Server Forums © 2000-2009 SQLTeam Publishing, LLC Go To Top Of Page
This page was generated in 0.09 seconds. Powered By: Snitz Forums 2000