1

Possible Duplicate:
What are the best PHP input sanitizing functions?

Let's say I have a $_GET variable with the name "id". The $_GET variable is then used in a mysql query to retrieve some data like SELECT text FROM database WHERE id=$_GET['id']; Would null byte injection in my $_GET variable affect me assuming I'm using common security functions like mysql_real_escape_string(), addslashes(), and strip_tags()?

Community
  • 1
  • 1
user701510
  • 5,563
  • 17
  • 61
  • 86
  • 1
    Assuming you're not using them wrong, like your question suggests, that wouldn't be a problem for string literals in your query. – mario Nov 25 '11 at 10:26

1 Answers1

5

Would null byte injection in my $_GET variable affect me assuming I'm using common security functions like mysql_real_escape_string(), addslashes(), and strip_tags()?

Probably not, but a much more simple injection would affect you. Try passing this as the GET parameter:

99999 OR id=0

and run it through the query you show above. It will allow injection of arbitrary SQL even when using mysql_real_escape_string.

Contrary to popular belief, mysql_real_escape_string() will not protect you if your value is not enclosed in quotes.

If querying for numeric values, either test whether it's a number before inserting the value into the string, or put the value into quotes:

 $id = mysql_real_escape_string($_GET["id"]);
 $query = "SELECT text FROM database WHERE id='$id'";

addslashes and strip_tags have no value at all in this context. They only serve to break data, but they add no security when inserting stuff in a database. Just get rid of them. (strip_tags may be appropriate later when you output something on a HTML page.)

Pekka
  • 442,112
  • 142
  • 972
  • 1,088