2

I have a comment form that consists of 2 fields (title and comment). Database contains 3 columns id, title and comment. Comment is displayed based on it's title like domain.com/index.php?id=sometitle

The title field is properly secured for sql injection using mysql_real_escape_string, but comment field which is a textarea is left open without escaping. I can escape it, however i'm wondering what harm can it do to just leave it without using mysql_real_escape_string on that field knowing that title is already escaped and it's how the output is retrieved.

Pinkie
  • 10,126
  • 22
  • 78
  • 124

5 Answers5

7

What would happen if someone typed this into your textarea.

some comment');DELETE FROM COMMENTS;--

If your query to insert the comment were something like 

INSERT INTO Comments(Title,Comment) VALUES('$title','$comments');

then you would have a problem. the resulting query would be

 INSERT INTO Comments(Title,Comment) VALUES('some title','some comment');DELETE FROM COMMENTS;--'

or to lay it out in a more readable format

INSERT INTO Comments(Title,Comment) VALUES('some title','some comment');
DELETE FROM COMMENTS;--'

the --' at the end just creates a comment, to get rid of any extra SQL that would make it not parse properly.

Kibbee
  • 65,369
  • 27
  • 142
  • 182
2

All unescaped strings can be used to inject SQL.

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
  • I can't make sense of this without an example to my question. How is the comment field interfering with injection. – Pinkie Jun 30 '11 at 00:09
  • Huh? I have no idea what your problem is. There is no difference between the two fields. – SLaks Jun 30 '11 at 00:10
  • 1
    If my comment is something like "What a great ');drop tables;--' website!" then you're going to be in real trouble. – Cameron Skinner Jun 30 '11 at 00:11
2

If someone uses SQL injection in the textarea, it will run when the data is submitted to your database, which is why you escape it first.

steve
  • 576
  • 1
  • 5
  • 12
  • How does inserting the comment field cause sql injection. We are talking about input not output. – Pinkie Jun 30 '11 at 00:10
  • The link you provided talks about selecting and not inserting. It's opposite to what i'm asking. – Pinkie Jun 30 '11 at 00:15
  • @Pinkie Not really, since the `$_GET` variable of the `id` would be used in an SQL select statement. Perhaps you should revise your original question... I mean statement. – Steve Robbins Jun 30 '11 at 00:19
  • @steve, thank you. I see what you mean. I found a good example at http://stackoverflow.com/questions/681583/sql-injection-on-insert – Pinkie Jun 30 '11 at 00:20
2

Escape it. Assuming users are the ones posting comments, you are vulnerable from injection in the comment section, which would be executed one they post the form, not request to view the comment.

Steve Robbins
  • 13,672
  • 12
  • 76
  • 124
2

DO NOT leave that field un-escaped. It doesn't matter what the field is being linked with. By the time the query is formed the injector can be returning password fields etc.

To really clear out ANY attempt at using sql injection you need to be using stored procedures. If you have access to it you should be using PDO.

il_guru
  • 8,383
  • 2
  • 42
  • 51
meteorainer
  • 913
  • 8
  • 21