0

I used mysql escape string in my code. I was taking e-mail addresses and storing them in the database. This is the escape-string function I used.

mysqli_real_escape_string($connection, $_POST['data'])

But I looked at the database today and found that someone has been able to insert things like "C:/Windows/xyz", SQL queries etc. Those have been included in the database. How is this happening, even when the HTML doesn't let you enter anything except a proper email address?

sofa_maniac
  • 1,659
  • 2
  • 12
  • 21
  • 4
    It doesn't remove bad data. It just prevents it from being interpreted as a MySQL command to prevent SQL injections. – John Conde Aug 30 '15 at 12:50
  • And HTML5 `` is just advisory for browsers. Other bots/spiders can just ignore that. If you want filtered/whitelisted content, you'll have to implement the according logic server-side, not rely on compliant clients. – mario Aug 30 '15 at 12:52
  • Thanks for the comments. Question to John Conde. When I went through the database, I found all these SQL queries like "1 AND 1=1 -- " and even Javascript queries ('") – sofa_maniac Aug 30 '15 at 13:00
  • How had he been able to pass all these? And moreover, is the site vulnerable to SQLi then, given he passed all these into the database? – sofa_maniac Aug 30 '15 at 13:01
  • 2
    You are still confusing "SQL injection" with "unwanted data". That you got `1 AND 1=1 --` as literal text somewhere in the database means that it was properly escaped for insertion. It perhaps was an *attempt* at SQL injection. It failed at that. But now you have garbage in the database. (Again, storing "garbage" is not a first order SQL exploit). – mario Aug 30 '15 at 13:06
  • Oh, I understand. Thanks for the info. Is there any way to bypass the form filter for taking email input? I mean, is there any way to add the "unwanted data" without triggering the "Please enter an email address" warning that the HTML form shows? – sofa_maniac Aug 30 '15 at 13:11
  • possible duplicate of [Do I have to guard against SQL injection if I used a dropdown?](http://stackoverflow.com/q/22534183) – mario Aug 30 '15 at 13:11
  • @SoumyarghaSinha - that depends entirely on how you're filtering your inputs. `mysqli_real_escape_string` won't filter the data - it'll just take the data that's passed to it, and turn it into a something that can be entered into the database. – andrewsi Aug 30 '15 at 13:32

1 Answers1

0

There's a huge difference between sanitizing and validating variables. Sanitation gives You sql-safe variables for Your database operations, but noone said that user can't order "fleventy" beers over Your form.

If You want to validate for proper email address string You could use filter_var($_REQUEST["email"], FILTER_VALIDATE_EMAIL) function.

Koval
  • 145
  • 8