All geek questions in one place

Mysql_real_escape_string () is not a sanitizer variable

I am working on an existing website trying to prevent SQL injections. Prior to $_GET['ID'] it was not parsed.

 $ID=mysql_real_escape_string($_GET['ID']); $sQuery=mysql_query("select * from tbl_mini_website as s1, tbl_actor_merchant as me where s1.MERCHANT_ID=$ID AND s1.MERCHANT_ID=me.MERCHANT_ID");

If I put "at the end of the url, mysql_real_escape_string() , I get this from mysql_error() :

You have an error in the SQL syntax; check the manual that matches your version of MySQL server for the correct syntax to use next to '\\' AND s1.MERCHANT_ID = me.MERCHANT_ID 'on line 1

with out mysql_real_escape_string() I get:

You have an error in the SQL syntax; check the manual that matches your version of MySQL server for the correct syntax to use next to '\' AND s1.MERCHANT_ID = me.MERCHANT_ID 'on line 1

I'm not sure what's wrong with him? Any help would be greatly appreciated.

+4
source share
4 answers

If this is id, numeric, I suppose, why don't you just pass it to an integer?

 $ID = (int) $_GET['ID'];

The best advice I can give you is to check the PDO and use the related parameters.

+6
source

mysql_real_escape_string escapes but does not quote.

Try:

 $sQuery=mysql_query("select * from tbl_mini_website as s1, tbl_actor_merchant as me where s1.MERCHANT_ID='$ID' AND s1.MERCHANT_ID=me.MERCHANT_ID");

More generally, I tend to wrap both of them in a function, for example:

 function quoteValue($value) { return "'" . mysql_real_escape_string($value) . "'"; }

This is useful because you can find a line where you want to improve the behavior of quotes (especially when it comes to handling Unicode, control characters, etc.).

+5
source

This is because you are not quoting this variable.

Here your request contains the following entries

 $_GET['ID'] = "1"; $ID=mysql_real_escape_string($_GET['ID']); SELECT ... where s1.MERCHANT_ID=1 ... $_GET['ID'] = "1'" $ID=mysql_real_escape_string($_GET['ID']); SELECT ... where s1.MERCHANT_ID=1\' ... $_GET['ID'] = "1'" SELECT ... where s1.MERCHANT_ID=1' ...
+2
source

Phil Brown is right, but you forgot to forget about the old-fashioned mysql_real_escape_string or mysql_connect() , since they are very old and go to php`s PDO (), where you use ready-made instructions, bind, retrieve an object, any many other functions.

I suggest reading the PDO documentation at http://php.net/manual/en/book.pdo.php if you want to manipulate next-generation dabatase and SQL Injection security.

+1
source

Source: https://habr.com/ru/post/1347010/

More articles:


All Articles