If an attacker feeds invalid input to the query to cause a syntax error and you have a fairly verbose error output then yes, it is possible. It depends on your level of input sanitisation and your level of error output. For example the email input field for the query could be used to feed something other than into the statement.ģ) If you mean is it possible for the attacker to have that output to their browser, then possibly. For there the be a SQL injection vulnerability you have to use user input. The values you have used for the query are hard coded. MySQL injection is one of the most common web vulnerabilities out there.ġ) The SQL query simply being wrapped in a PHP if statement will have no impact upon whether or not an attacker can inject into the statement.Ģ) Can who escape out of it? You or the attacker? Assuming you mean the attacker, and given the example you provide, no one can. It's not so much dumbness as cluelessness/carelessness, but yes.
Php mysql insert sql injection code#
Are there any people dumb enough to code this way? If this has a potential SQL injection situation. But that may be worse, it's best if the attacker can't see anything. Sure, store the string first and then echo it. Is there a possibility to echo the whole statement so you could get more intel in the php used, meaning that the whole result query is being echo'ed due to the injected code? Stuff like mysqli_real_escape_string() are also vulnerable. Simply escaping everything won't work, as this may change the meaning of some of the characters. With single line queries, ' (select abc from def),0)- can work, though with some more nesting you can run pretty much anything. With multiline queries, a simple ' drop table usertable - works. Is it possible to inject something into this even if it's in an if statement?
0 kommentar(er)
