-2

In my php scripts ALL input are "filtered" with mysqli_real_escape_string in this way:

$categoryid = mysqli_real_escape_string($link, $_GET['id']); 

$query = "SELECT categories.id AS cid, categories.title AS ctitle
              FROM categories
              WHERE cid=".$categoryid.";";

$rows = mysqli_query($link, $query);
$row = mysqli_fetch_array($rows);

Someone could tell me, how did he hacked my database and dropped the "category_post" table ?

register_globals is disabled

AstroCB
  • 12,337
  • 20
  • 57
  • 73
xRobot
  • 25,579
  • 69
  • 184
  • 304
  • Who knows - there's only a small snippet here. Maybe a second-level injection attack succeeded, or maybe he obtained access another way. –  Nov 17 '13 at 07:04
  • [This xkcd](http://xkcd.com/327/) was created just for you. – mvp Nov 17 '13 at 07:54

2 Answers2

0

he probably entered the next string '1'; ;

If I'm not mistaken, this php function will not prevent sql injection, it only make sure the sql string is legal and SELECT categories.id AS cid, categories.title AS ctitle FROM categories WHERE cid='-1'; SQL INJECTION STRING ; is a legal string for sql

zion ben yacov
  • 715
  • 6
  • 13
0

Have you taken measures to ensure that sql injection is not possible? Some things you can do to prevent injection is by using mysql_real_escape_string() before the query to escape any quotes on post and get variables, or using prepared statements with mysqli or PDO instead of using mysql_query. Also as an additional safeguard, you can create a separate user for connecting to mysql that has limited access, and not allowing that user to use DROP, etc.

DWils
  • 390
  • 1
  • 4
  • 16