| Author |
 Topic  |
|
|
danny_sql
Starting Member
United Kingdom
3 Posts |
 Posted - 06/22/2009 : 07:34:39
|
Hi
I have a quick question about SQL injection:
A user inserts a new post on our PHP based website into our MySQL database, which we correctly filter for SQL injection using mysql_real_escape_string(). This data is now inserted into TABLE newposts in our database.
Say for example that for whatever reason the data is transferred to a new table liveposts:
$pull = "SELECT * FROM newposts WHERE id='5'";
$pq = mysql_query($pull);
$sr = mysql_fetch_assoc($pq);
$add = "INSERT INTO liveposts (date,name,email,post) VALUES ('$sr[date]','$sr[name]','$sr[email]','$sr[post]')";
If the data that was originally inserted into the table newposts was an SQL injection attack that we correctly filtered using mysql_real_escape_string() - would I need to filter $sr[post] also, so enclose the data as '"mysql_real_escape_string($sr['post'])."' - or is data that is being copied/transferred from a MySQL table safe from SQL injection attacks?
Thanks in advance for your help. |
|
|
Lumbago
Norsk Yak Master
Norway
3241 Posts |
Posted - 06/22/2009 : 10:25:37
|
Well...the way to make sure was to copy directly instead of going through the webserver:
pull = "INSERT INTO liveposts (date,name,email,post) SELECT * FROM newposts WHERE id='5'";
If you do it your way it all depends on what the mysql_real_escape_string really does to the data. You should try just to make sure...
- Lumbago |
 |
|
|
Lumbago
Norsk Yak Master
Norway
3241 Posts |
Posted - 06/22/2009 : 10:27:10
|
Please also notice that this is a MS SQL Server forum so any questions you might have regarding MySQL might not get answered. We'll probably do our best though 
- Lumbago |
|
|
|
danny_sql
Starting Member
United Kingdom
3 Posts |
Posted - 06/22/2009 : 11:42:28
|
Thanks for your help.
I would use:
$pull = "INSERT INTO liveposts (date,name,email,post) SELECT * FROM newposts WHERE id='5'";
where possible, but sometimes I am only using certain fields, and so this is not always possible.
Can anyone confirm whether or not the SQL injection risk would still stand when using the query as above:
$add = "INSERT INTO liveposts (date,name,email,post) VALUES ('$sr[date]','$sr[name]','$sr[email]','$sr[post]')";
?
Many Thanks |
|
|
|
Lumbago
Norsk Yak Master
Norway
3241 Posts |
Posted - 06/23/2009 : 02:19:37
|
quote:
where possible, but sometimes I am only using certain fields, and so this is not always possible.
$pull = "INSERT INTO liveposts (date,name,email,post) SELECT date,name,email,post FROM newposts WHERE id='5'";
But if the syntax you're using is correct I believe you would be safe but I'm not sure. Shouldn't the syntax be more like this? ->
$add = "INSERT INTO liveposts (date,name,email,post) VALUES ('" + $sr[date] + "','" + $sr[name] + "','" + $sr[email] + "','" + $sr[post] + "')";
I think you'd be better off asking this in a PHP forum...it all depends on how PHP handles the parameters to the query.
- Lumbago |
|
|
|
danny_sql
Starting Member
United Kingdom
3 Posts |
Posted - 06/23/2009 : 08:11:26
|
| Thanks for your help Lumbago. I'll double check this in a PHP/MySQL forum. |
|
|
| |
Topic |
|
|
|
SQL Injection
