Is SQL Injection possible with mysql_real_escape_string when variables in the query have no quotes around them?

Question

Take for example this

$username = mysql_real_escape_string($_GET['username']);
$password = mysql_real_escape_string($_GET['password']);
$sql = "SELECT * FROM users WHERE username = $username AND password = $password";

If there are no quotes around $username and $password, is injection still possible ?

Does that even work? I mean, even with "valid" values for username and password, the query should fail, as strings **need** to be enclosed in quotation marks. — Shi, Aug 25 '11 at 21:08

score 3 · Accepted Answer · answered Aug 25 '11 at 21:06

3

If there are no quotes around $username and $password, is injection still possible ?

Yes. mysql_real_escape_string() prevents only escaping from the quotes in a string.

Without surrounding quotes, mysql_real_escape_string() is useless.

answered Aug 25 '11 at 21:06

Pekka

442,112
142
972
1,088

score 1 · Answer 2 · answered Aug 25 '11 at 21:07

Yes. Trivially, submit the username as username and the password as password. Congratulations, you're in. That's because this expands to:

$sql = "SELECT * FROM users WHERE username = username AND password = password";

It will select any row where the username column equals the username column (same for password).

Of course, this code also fails for ordinary logins, so it should be caught pretty quickly. If you use any username or password that is not a database construct (column, function call, etc.), it will fail.

@Pekka, sorry, I did not mean the form submission should contain quotes. The `username` should actually be username (no quotes). — Matthew Flaschen, Aug 25 '11 at 21:11

score 0 · Answer 3 · answered Aug 25 '11 at 21:41

Without the quotes, the user-submitted data will be seen as field references, and/or invalid SQL.

Consider a username of username. A proper query would be:

SELECT ... FROM ... WHERE username='username'

and only match if there really is a user whose name is "username".

Without the quotes, it becomes:

SELECT ... FROM ... WHERE username=username

which would match ALL non-null records in the table.

Now consider a 2-part username: John doe

SELECT ... FROM ... WHERE username=John doe

The DB server will try to compare the username field against a field name 'John', which most likely doesn't exist. Then there's this "doe" thing in there which is not a field name, not an SQL key word, so is a syntax error.

Now consider a username: 1 or 1=1

SELECT ... FROM ... WHERE username=1 or 1=1

again, this will ALWAYS return true and match ALL rows, because "1=1" will always be true.

mysql_real_escape_string() only guarantees that any data you pass through it will not "break" a PROPERLY CONSTRUCTED query. If the query you're inserting the escaped data into is NOT properly constructed, then all bets are off.

Is SQL Injection possible with mysql_real_escape_string when variables in the query have no quotes around them?

3 Answers3