SQL-injection in PHP, how is it possible to send non-escaped quote to server?

Question

This code seems to be unsafe:

<form method='post'>
<input type='text' name='x' style='width:1000px'>
<input type='submit' value='Send'>
</form>
<?php
if(isset($_POST['x']))
{
    require_once("db_connect.php");
    $q = mysqli_query($dbc, "SELECT x FROM table where x = '". $_POST['x'] ."'");
    while($r = mysqli_fetch_assoc($q))
        echo $r['x'];
}

but when I sent malicious input, it did not work. So I made similar script:

<form method='post'>
<input type='text' name='x' style='width:1000px'>
<input type='submit' value='Send'>
</form>
<?php

if(isset($_POST['x']))
    echo $_POST['x'];

and when I sent ' (apostrophe), I recieved \' . So it became automatically escaped. My question is, where did it happen? How to send 'clear' apostrophe?

There's no way this code is automatically escaping apostrophes. — developerwjk, May 06 '15 at 18:56
Try sending `' or '3'='3` as your `$_POST['x']` against a real table such as usernames or whatever — MonkeyZeus, May 06 '15 at 18:57
After `if(isset($_POST['x']))` try `echo $_POST['x'];`, you might be using a framework or library that is escaping for you. — MonkeyZeus, May 06 '15 at 18:59
MonkeyZeus read my post again... @developerwjk so my code is safe and I do not need PDB or similar stuff? — Com Piler, May 06 '15 at 19:03
@ComPiler Your code should not be assumed to be safe - your server likely has magic_quotes enabled, which is a deprecated practice (in fact, it was removed in PHP 5.4) and was a security problem in PHP because it was relied upon when often not present. To be safe, you should be using the `prepare()/bind_param()/execute()` methods [described in these answers](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Michael Berkowski, May 06 '15 at 19:05
@developerwjk it is entirely possible he has magic quotes on and that it is automatically escaping for him on POST data — AlienHoboken, May 06 '15 at 19:06
@ComPiler Yes I see that now. Try `echo ('magic_quotes_gpc');` and if it says "on" then there is your answer. — MonkeyZeus, May 06 '15 at 19:10

score 5 · Accepted Answer · answered May 06 '15 at 19:02

5

You could have Magic Quotes on. What version of PHP are you running? Magic Quotes were deprecated in 5.3 and removed in 5.4 but they default to ON when present.

Magic Quotes will automatically escape quotes, but you really shouldn't rely on it. You should turn it off and use a different escaping method or even better look at using prepared statements.

Run get_magic_quotes_gpc() to see if you have them on. If so, turn them off by making the following changes to the php.ini file:

; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off

answered May 06 '15 at 19:02

AlienHoboken

2,750
20
23

1

@ComPiler http://stackoverflow.com/questions/2610524/why-is-turning-magic-quotes-gpc-on-considered-a-bad-practice – Jay Blanchard May 06 '15 at 19:16
Briefly: Portability, performance, and convenience. Also prepared statements are much more secure and definitely your way to go, as they actually keep the input data separate from the query. Definitely read up on prepared statements. See @JayBlanchard's comment for more detail on why not to use Magic Quotes. – AlienHoboken May 06 '15 at 19:17
http://stackoverflow.com/questions/2735749/successful-sql-injection-despite-php-magic-quotes – Com Piler May 06 '15 at 19:20

SQL-injection in PHP, how is it possible to send non-escaped quote to server?

1 Answers1