Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m trying to evaluate a sort of customized CMS. The protection the devoloper used against SQL attacks is:
str_replace("'", "\'", $_POST[$variable]);
Is this good enough, or there’re ways to exploit this to inject SQL code?
PS: I know the standard way is using mysql_real_escape_string(), but I’m trying to get an idea of the general quality of the code.
Yes this is vulnerable.
Trivially, the backslash is not escaped, so you can break out of a string literal using a backslash to mask a quote:
hello\' OR 1 --->'hello\\' OR 1 --'.Nulls are also not escaped and may cause problems.
Also if East Asian charsets are in use, a multibyte sequence may be used to mask the quote. (Note this is NOT the case for UTF-8, as UTF-8 does not allow
'as a trailing byte.)Also this escaping format is only suitable for MySQL. If any other database is used, or the ANSI-compliant string literal option is used in MySQL, then it will be ineffective, as the standard escape is to double the quote, not backslash.
The code is useless. At best it shows someone is aware that SQL injection exists, but it exhibits no real understanding of the actual problem.