I have this query:
DELETE FROM users WHERE user_email = '$email'
How can it be attacked by SQL injection attack that causes all of records get deleted?
addslashes() function is applied on $email before sending it to the query.
Asked
Active
Viewed 1,594 times
0
-
DELETE FROM users WHERE user_email = '$email' OR 1=1 – Vimalnath Jan 28 '13 at 12:08
-
@vimalnath he said addslashes is applied, so this won't work – MarcDefiant Jan 28 '13 at 12:09
-
what should be the value of $email? – hd. Jan 28 '13 at 12:09
-
1possible duplicate: http://stackoverflow.com/questions/860954/examples-of-sql-injections-through-addslashes – MarcDefiant Jan 28 '13 at 12:20
-
possible duplicate of [How to prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php) – ShadowScripter Apr 22 '13 at 06:34
2 Answers
1
You can bypass addslashes as following if the wrong encoding is set in the database (this doesn't work with UTF-8):
$email = urldecode('%BF%27 OR 1 -- '); // user input
$email = addslashes($email);
$sql = "DELETE FROM users WHERE user_email = '$email'";
because a \ is prepended to %27 ('), %BF and a blackslash results in a valid multibyte char
MarcDefiant
- 6,321
- 5
- 26
- 47
1
If you are using PDO you can use $pdo->quote($var) or use PDOStatement bindParam, bindValue($var, PDO::INT_PARAM) that sanitizes data and avoid all public knowed special chars become used as sql injection.
EDIT
Thats because each databse has his own reserved words.
Ragen Dazs
- 2,045
- 3
- 25
- 54