0
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

$checkPassword = mysql_query("SELECT * FROM user_info WHERE Username='$username' AND Password='$password';");

Can this query be bypassed by an injection and if so is anyone able to craft an injection I can use for security testing?

I have tried doing 'x' or 1=1 but mysql_real_escape_string manages to remove the quotes and treats the whole field as a string. Thank you all in advance.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
polymorph
  • 79
  • 9
  • 1
    See http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string – xdazz Mar 27 '14 at 03:18
  • possible duplicate of [Shortcomings of mysql\_real\_escape\_string?](http://stackoverflow.com/questions/12703420/shortcomings-of-mysql-real-escape-string) – deceze Mar 27 '14 at 09:17

2 Answers2

1

The whole purpose of mysql_real_escape_string is to escape any value passed to be safely used in a MySQL string literal. And as you use the value escaped by mysql_real_escape_string how it’s supposed to be, i. e., only in string literals, you have done everything correctly.

So there is no way to bypass this as long as you have also set the connection character set properly as there is a case where mysql_real_escape_string still may be bypassed due to improper setting of the connection character set when using the character sets GBK or BIG5.

Community
  • 1
  • 1
Gumbo
  • 643,351
  • 109
  • 780
  • 844
0

Can this query be bypassed by an injection

No.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345