Quote:
Originally Posted by airtalking
I guess i could explain further... say you got
Code:
$name = $_POST['name'];
$sql = "SELECT * FROM table WHERE name = '$name';
if a user submits his name as (forgive my syntax on droping i know its wrong)
Code:
blahblahblah'; DROP ALL TABLES;--
then when it gets plugged into $sql you would get
Code:
SELECT * FROM table WHERE name = 'blahblahblah'; DROP ALL TABLES;--'
the -- at the end would comment out the trailing quote. If magic quotes is on, or you use the code in the first post it will add a / before any quote or /. So with magic quotes on you would get
Code:
SELECT * FROM table WHERE name = 'blahblahblah/'; DROP ALL TABLES;--'
That would cause an error and none of the sql gets executes saving your database. |
Fortunately, PHP5 (and possibly PHP4, I can't remember where I read it to verify) doesn't allow multiple queries in 1 execution. Otherwise, any server running the older version of the Allakhazam Clone would be screwed (pretty much all of the search fields are susceptible to injection), allowing someone to give themselves equip, instant max level, max pp, etc.
However, you could attempt to discover an admin password from the account table using subqueries & a bit of trial an error.
As for a fix, I don't know that I'd recommend just depending on escaping quotes, but rather validating the actual submitted value. Specifically, since we're just looking at a name, there shouldn't be any spaces, special characters, numbers, etc. So, we could do a simple Regular Expression: