0

I have no idea about PHP security, but if I add an ' to the input in my POST method form.

I'm getting the following message: 

Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /usr/local/www/login.php

Is that a SQL injection? If so, how it can be abused by the "hackers" ?

Cyclone
  • 14,839
  • 23
  • 82
  • 114
  • possible duplicate of [Best way to stop SQL Injection in PHP](http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php) – Aurelio De Rosa Dec 28 '11 at 03:15
  • There's not enough information to answer this question without guessing. What's lacking is [minimal sample code](http://sscce.org/), which every SO question should have. – outis Dec 28 '11 at 03:18

2 Answers2

4

That means you're vulnerable to SQL injection, and your code is not doing sufficient checking for errors.

An absolute barebones "safe" bit of code would be:

<?php
... connect to db ...
$stringval = mysql_real_escape_string($_GET['param']);
$sql = "SELECT somefield FROM sometable WHERE otherfield='$stringval'";
$result = mysql_query($sql) or die(mysql_error());

better yet is to stop using the mysql functions and switch to PDO and parameterized queries. They handle the injection problems for you automatically.

The root cause of your error message is that your query has caused a syntax error. When a query fails outright like that, mysql_query() returns a boolean FALSE value, not a statement handle.

Since you lack any kind of error checking, you blindly took that boolean false and passed it on to the fetch function, which has rightfully complained that you didn't provide a result handle.

Marc B
  • 356,200
  • 43
  • 426
  • 500
  • Thank you. But I've read much about this thing, and seems like there is no way to get the access to the database or something. I've tried to inject it in a few ways and seems like it's not possible, so my question is about 'how to inject it', because I wan't to learn some about the security against SQL injection and understand, how it works. Thank you 1+'d for now. :) – Cyclone Dec 28 '11 at 03:23
  • classical injection problems, such as the [Bobby Tables](http://xkcd.com/327/) aren't possible in PHP/MySQL as the driver doesn't allow multiple queries in a single call. But injection attacks can STILL be used to do things like subvert login/permissions systems. – Marc B Dec 28 '11 at 03:27
0

You should escape any user input before passing it to mysql. Use the PHP function mysql_real_escape_string() to escape any user input before adding it to your query. Here is the link to PHP manual for mysql_real_escape_string()

Update: Yes, what others are saying about using prepared statements or mysqli is much better that using the mysql extension.

Here are a few links on MySQL Injection which I found:

Virendra
  • 2,560
  • 3
  • 23
  • 37
  • Actually the best way to be safe from SQL injection is to use prepared statement. – Aurelio De Rosa Dec 28 '11 at 03:16
  • The mysql extension is outdated and on its way to deprecation. New code should use mysqli or PDO, both of which have important advantages, such as support for prepared statements, which is the modern way of preventing injection attacks. – outis Dec 28 '11 at 03:17
  • I have updated my answer to provide some links on more details about SQL Injection, prepared statements and mysqli. – Virendra Dec 28 '11 at 03:25
  • a classic delusion. as a mater of fact, "escape any user input" is wrong and doesn't prevent injections. -1 – Your Common Sense Jan 03 '12 at 01:59