Jump to content
caneacsu

bypassing SQLi protection

Recommended Posts

caneacsu

Hello,

 

Hope I'm posting in the right section.

I was wondering if the PHP function "mysql_real_escape_string" can be bypassed.

For example, I have the following code :


<?php



$id = mysql_real_escape_string($_GET['id']);

$r=mysql_query("SELECT * FROM users WHERE id='" . $id . "'");



?>

Reading various blog posts I understand that this could be exploited only under special circumstances, depending on the encoding used by the DBMS.

Is that right ? Is the above code really that safe and can't be exploited ?

 

Thank you!

Share this post


Link to post
Giuseppe

Well this is an old issue in MySQL. Modern versions of MySQL ( >5.1) are safe. Furthermore, if you use UTF-8 and other "normal" charsets you are still safe, because the main problem was originated by a magic handling of the GBK charset.

 

Here's a good explanation.

 

However, let me point you to another problem. Consider the following example:

<?php
$id = mysql_real_escape_string($_GET['id']);
$r=mysql_query("SELECT * FROM users WHERE id=" . $id );

as you can see, it differs from your previous example, we don't have anymore the single quotes around the id variable.

In this case, using mysql_real_escape_string against the following vector won't help you:

0 OR 2=2
  • Like 2

Share this post


Link to post
caneacsu

Thank you for your response Giuseppe :)

Everything makes a lot more sense now!

Guess I'll be taking WAPT pretty soon, as I want to get ready for WAPTX. I wasn't that much interested into web apps but this stuff is starting to get to me. 

 

Cheers!

Share this post


Link to post
Giuseppe

Cool, in the WAPTX there's a little bit of magic about Encodings and advanced SQLi. Anyway, WAPT gives you the basics :)

  • Like 1

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×