1

Some dude challenged me to sql-inject his code. He said the PHP function in the title should suffice for this case.

$var = 'my malevolent input will be in here';
$var = mysql_real_escape_string($var);

$sql = "SELECT * FROM `users` WHERE `id` = '$var'";

mysql_query($sql);

I can't seem to bypass the single-quote escaping. What should I use as a value for $var? Can I use something?

Thanks, as always

nevvermind
  • 3,302
  • 1
  • 36
  • 45

3 Answers3

2

While there may be esoteric exploits in certain server versions under certain conditions and such, as far as I know, using mysql_real_escape_string() in this way is generally considered safe.

Pekka
  • 442,112
  • 142
  • 972
  • 1,088
2

No, using mysql_real_escape_string is considered to be safe for any input unless the character encoding is not set properly by using mysql_client_encoding.

Gumbo
  • 643,351
  • 109
  • 780
  • 844
  • Do you happen to know links to specific exploit examples for a mis-set character set off the top of your head? (No need to dig, just curious) – Pekka Nov 07 '10 at 18:45
  • @Pekka: [Chris Shiflett’ “`addslashes()` Versus `mysql_real_escape_string()`”](http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string) has an example. – Gumbo Nov 07 '10 at 18:48
0

You have an error in code:

$sql = "SELECT * FROM 'users' WHERE 'id' = '$var'";

Should be

$sql = "SELECT * FROM 'users' WHERE 'id' = '".$var."'";

If you a not sure if id is an integer or a string.

If you are sure that id is always an integer, then:

$sql = "SELECT * FROM 'users' WHERE 'id' = ".intval($var)

And you will be safe with mysql_real_escape_string(); ^_^

rinchik
  • 2,642
  • 8
  • 29
  • 46
  • oops. haha ) was browsing saw weird code and posted.. http://www.topito.com/wp-content/uploads/2013/01/code-31.gif – rinchik Mar 05 '13 at 17:48