Home/ Questions/Q 6087117
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T11:50:02+00:00

I have a comment form that consists of 2 fields (title and comment). Database

  • 0

I have a comment form that consists of 2 fields (title and comment). Database contains 3 columns id, title and comment. Comment is displayed based on it’s title like domain.com/index.php?id=sometitle

The title field is properly secured for sql injection using mysql_real_escape_string, but comment field which is a textarea is left open without escaping. I can escape it, however i’m wondering what harm can it do to just leave it without using mysql_real_escape_string on that field knowing that title is already escaped and it’s how the output is retrieved.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    What would happen if someone typed this into your textarea.

    some comment');DELETE FROM COMMENTS;--

    If your query to insert the comment were something like 

    INSERT INTO Comments(Title,Comment) VALUES('$title','$comments');

    then you would have a problem. the resulting query would be

     INSERT INTO Comments(Title,Comment) VALUES('some title','some comment');DELETE FROM COMMENTS;--'

    or to lay it out in a more readable format

    INSERT INTO Comments(Title,Comment) VALUES('some title','some comment');
DELETE FROM COMMENTS;--'

    the –‘ at the end just creates a comment, to get rid of any extra SQL that would make it not parse properly.

    • 0