2

I am using addslashes() on all the parameters receiving on page. And also applying single courts around those variables in mysql query. Here is my code:

$string             = addslashes($_POST['string']);
$queryString            = " INSERT INTO general (description) VALUES ('$string')";
$query                  = mysql_query($queryString);

AND 

$queryString            = "SELECT description FROM general WHERE description = '".$string."'"; 
$query                  = mysql_query($queryString);

Is there any chance of SQL INJECTION in this code?

StormTrooper
  • 1,951
  • 4
  • 21
  • 29

2 Answers2

2

read this article: addslashes() Versus mysql_real_escape_string()

Excerpt:

If I want to attempt an SQL injection attack against a MySQL database, having single quotes escaped with a backslash is a bummer. If you're using addslashes(), however, I'm in luck. All I need to do is inject something like 0xbf27, and addslashes() modifies this to become 0xbf5c27, a valid multi-byte character followed by a single quote. In other words, I can successfully inject a single quote despite your escaping. That's because 0xbf5c is interpreted as a single character

Notice:

Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

Community
  • 1
  • 1
itachi
  • 6,072
  • 3
  • 29
  • 40
0

Hey mysql_connect function is now deprecated as PHP gaint sign warning. However, if you insist on using the deprecated then you have to sanitize all variables using mysql_real_escape_string() function and also pass it to strip_tags() functions

but why don't you better use Mysqli via prepared statement or better use PDO which I believe is the best. Mysqli and PDO does automatic data sanitization which ensures that SQL Injection attack is not possible.

If you are ready to go with PDO, then I can help You with a start. I hope this help

PDO connection

<?php

$db = new PDO (

    'mysql:host=localhost;dbname=sectona_db;charset=utf8', 

    'root', // username



    'root99' // password

);

?>




<?php



require("pdo.php"); 



$username = $_POST['useruname'];
$photo = $_POST['photo'];


$statement = $db->prepare('INSERT INTO users (username,photo)
                          values
                                                   (:username,:photo)');

$statement->execute(array( 

':username' => $name,
':photo' => 'profile.png'


));
echo ' data submitted';

?>
Sectona
  • 88
  • 1
  • 9
  • `and also pass it to strip_tags()` No, don't do that – Damien Pirsy Nov 17 '14 at 06:02
  • why strip_tag()? what if the user needs to strip off dangerous html elements. I believe its just a function of what user wants to do with the data from form inputs – Sectona Nov 17 '14 at 06:08
  • strip_tags will destroy the html and make it useless. If you want to protect from XSS, you need to escape the possibily malicious code, and only upon outputting on an html page; that has nothing to do with SQL injections, since maliciosus javascript has no effect whatsoever to a DB. The proposal of using stip_tags is ja variant of those sanitize-all-the-things function which pop out every now and then here on SO, and that add little to nothing to security. You escape according to the medium the string is destined to. I repeat, _don't_ use strip_tags() for sql injections, ever – Damien Pirsy Nov 17 '14 at 06:17
  • please don't get me wrong, am not using strip_tags() against SQL Injections. not at all. Understand. Thanks – Sectona Nov 17 '14 at 06:22