0

For example:

$qry=  "SELECT * FROM `table` ORDER BY `$_GET[orderBy]` ASC ;" ;

Would that leave it open to any vulnerabilities?

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
andrew
  • 9,313
  • 7
  • 30
  • 61
  • 6
    No, backticks isn't enough, use [**`mysqli_*` with prepared statements**](http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php), or [**PDO**](http://php.net/pdo) with [**prepared statements**](http://php.net/pdo.prepared-statements). Backticks only ensures you haven't used a [**reserved word**](http://dev.mysql.com/doc/refman/5.5/en/reserved-words.html), or your table/columns contain spaces/hyphens. – Funk Forty Niner Aug 04 '14 at 22:41
  • 4
    2k rep, you should be able to answer this your self. –  Aug 04 '14 at 22:41
  • How would the SQL database differentiate between your backticks and the ones coming in through the $_GET variable? – mario Aug 04 '14 at 22:42
  • 1
    Yes it leaves vulnerabilities: `$_GET[orderBy] = 1, (select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end)=1 --` – Mark Baker Aug 04 '14 at 22:42
  • 1
    Plus the fact that `$_GET[orderBy]` will issue a warning message unless `orderBy` is defined as a constant – Mark Baker Aug 04 '14 at 22:43
  • @MarkBaker Good point and catch. – Funk Forty Niner Aug 04 '14 at 22:44
  • @Fred-ii- but how would one use a prepared statement for a column name when placeholders become encapsulated in quotes? `order by ? = order by 'column name' will not work` – andrew Aug 04 '14 at 22:46
  • @MarkBaker and @ fred @ mario is correct – andrew Aug 04 '14 at 22:48
  • Then I stand corrected. – Funk Forty Niner Aug 04 '14 at 22:48
  • Why would you want to use `$_GET[orderBy]` in the first place? Why not just assign a variable to it, escape it then use `ORDER BY $var`. Ask the person who gave you an "answer". It'd be nice to see that person get involved in this convo ;) – Funk Forty Niner Aug 04 '14 at 22:51
  • 4
    Whitelist the possible values for your orderBy; whoever submits the form could easily mistype and cause the query to error, which looks decidedly unprofessional – Mark Baker Aug 04 '14 at 22:51
  • 2
    Reference for [SQL injection in order by clause](http://www.notsosecure.com/blog/2008/08/01/injection-in-order-by-clause/) – Mark Baker Aug 04 '14 at 22:54
  • Have a look at the Q&A's in http://stackoverflow.com/q/19083323/ and http://stackoverflow.com/q/2683576/ - That should shed a bit more light on the subject ;) There are a few examples using PDO prepared statements and `:` placeholders. – Funk Forty Niner Aug 04 '14 at 23:03
  • thanks @Fred-ii- and @ mark for the useful references – andrew Aug 04 '14 at 23:08
  • You're very much welcome Andrew, *cheers*. – Funk Forty Niner Aug 04 '14 at 23:09
  • 1
    @MarkBaker You're wrong about `$_GET[orderBy]`. When used in a double-quoted string, array indices do not need to be quoted – Phil Aug 05 '14 at 01:31

0 Answers0