Differences

This shows you the differences between two versions of the page.

--- rfc:sql_injection_protection [2015/07/28 16:45] – matttait
+++ rfc:sql_injection_protection [2015/07/28 16:56] – matttait
@@ Line 5: / Line 5: @@
   * Status: Draft
   * First Published at: http://wiki.php.net/rfc/sql_injection_protection
+  * You can [[http://phpoops.cloudapp.net/oops.php||try it online]] ([[http://phpoops.cloudapp.net/oops.php?action=main&dbg_sql&limit=4%20ohdear|spoiler]])
 ===== Background =====
@@ Line 46: / Line 47: @@
 By design, SafeConstness is ***not** applied to the output of SQL-escape functions. Consider the following query:
-  mysqli_query("SELECT * from USER where $id=" . mysqli_escape_query($_GET["userid"]))
+  mysqli_query("SELECT * from USER where ID=" . mysqli_escape_query($_GET["userid"]))
-This can be injected via page.php?userid=1%20INJECT_HERE--. Even quoted forms [[[[http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string|charset bugs]]|can be injected in ways]] the code cannot easily verify:
+This can be injected via page.php?userid=1%20INJECT_HERE--. Even using correct SQL-escapes within quotes can [[[[http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string|can be injected]] in a way PHP cannot verify at runtime
-  mysqli_query("SELECT * from USER where $id='" . mysqli_escape_query($_GET["userid"]) . "'")
+  mysqli_query("SELECT * from USER where ID='" . mysqli_escape_query($_GET["userid"]) . "'")
 It is a feature, not a bug, of this proposal that we are deliberately encouraging developers to parameterize, rather than escape their SQL queries.

Differences

Page Tools