Can someone change the information a website receives from a MySql database

Question

lets say I had the following code:

   $fetchlast1 = mysql_query("SELECT * FROM tableOne WHERE name='billy'");
   while ($row = mysql_fetch_array($fetchlast1)) {
                    $id = $row[1];
                    if($id == '23'){
                     //give admin privileges.
                    } 
   }

So lets say the value of $id turns out to be '45' NOT '23'. Can a skilled person or anyone at all somehow change the recieved value to be '23' and hence get admin privileges?

If there isn't any user input, then I'd say no. You really should switch to the newer APIs though. — Funk Forty Niner, Nov 08 '16 at 19:22
For static queries there is no way as correctly pointed by @Fred-ii- — Rahul, Nov 08 '16 at 19:25
***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Nov 08 '16 at 19:41
The results of your queries can only be changed if you are NOT using parameterized queries. — CptMisery, Nov 08 '16 at 20:19
When someone doesn't have the admin privileges, do you create the admin controls and hide them with CSS or are they excluded from the page all together? If they are just hidden, someone could use the browsers inspector tool to make those controls visible — CptMisery, Nov 08 '16 at 20:21

Frank Helligberger · Answer 1 · 2016-11-08T19:26:40.020

-1

The answer is yes and no. If your values are hardcored in the code then there is no chance of SQL Injection. It depends on the way you are including 'billy' in your query (read more mysqli prepared statements). Also your logistic operation does not have any sence when used with this query.

I also STRONGLY recommend you start programming in PHP using mysqli (MySQL improved syntax).

edited Nov 08 '16 at 19:26

answered Nov 08 '16 at 19:25

Frank Helligberger

46
1
1
10

1

[Yeah, I said that.](http://stackoverflow.com/questions/40494811/can-someone-change-the-information-a-website-receives-from-a-mysql-database#comment68233738_40494811) – Funk Forty Niner Nov 08 '16 at 19:26
the added prepared statements was a bonus ;-) – Funk Forty Niner Nov 08 '16 at 19:28
Wow, lot's of comments as answers today. – Jay Blanchard Nov 08 '16 at 19:42

Can someone change the information a website receives from a MySql database

1 Answers1