-1

If there is a query via a php script which is vulnerable like 

select email from mytable where id = $_REQUEST['id']

Is there a risk that someone can execute a truncate table etc using sql vulnerability.

This query is executed using mysql_query(). Multi queries are not allowed.

I understand that this is a vulnerable code. What I want to know is if someone can execute a delete or truncate. I want to know the extent of the vulnerability

Ram
  • 1,155
  • 13
  • 34

3 Answers3

1

sure if you let user to fill the "id" freely.

for example:

$_REQUEST['id'] = 123; delete from mytable where 1; select email from mytable where id = 123; delete from mytable where 1;

and if you use multi_query() then the second query will be executed.

Frederick Zhang
  • 3,593
  • 4
  • 32
  • 54
0

Yes, this is not a correct way to execute queries. Lets check this following example of simple SQL Injection

<?php
// We didn't check $_POST['password'], it could be anything the user wanted! For example:
$_POST['username'] = 'aidan';
$_POST['password'] = "' OR ''='";

// Query database to check if there are any matching users
$query = "SELECT * FROM users WHERE user='{$_POST['username']}' AND   password='{$_POST['password']}'";
mysql_query($query);

// This means the query sent to MySQL would be:
echo $query;
?>

The query sent to MySQL

SELECT * FROM users WHERE user='aidan' AND password='' OR ''=''

Always use mysql_real_escape_string()

Dharam
  • 423
  • 2
  • 10
0

Your query is very vulnerable to sql injection.

Use prepared statements and parameterized queries.

Using mysqli_, the right way to do is like this:

$stmt = $connection->prepare('SELECT email FROM mytable WHERE id = ?');

$stmt->bind_param('s', $_REQUEST['id']);

$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // do whatever you need with $row
}

You can also use prepared statements with PDO

baao
  • 71,625
  • 17
  • 143
  • 203