Home/ Questions/Q 6905671
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T08:12:45+00:00

include ../admin/site.php; // Setup db connection. $appid = -1; if (is_string($_GET[id])) { $id =

  • 0
include "../admin/site.php"; // Setup db connection.

$appid = -1;
if (is_string($_GET["id"]))
{
    $id = mysql_real_escape_string($_GET["id"]);
    $sql = "select * from version where id=$id";
    $ver = mysql_query($sql);
    if ($id > 0 && $ver && mysql_num_rows($ver))
    {
        $appid = mysql_result($ver, 0, "AppID");
        $app = DLookUp("apps", "name", "id=$appid");
        $name = mysql_result($ver, 0, "Name");
        $notes = mysql_result($ver, 0, "Notes");
    }
    else $app = "No version by that ID";
}
else $app = "No ID";

/* some html snipped */

if (isset($app) && isset($name))
    echo $app . " v" . $name;
else
    echo "v###";

/* some html snipped */

if (isset($appid))
{
    $url = "/" . DLookUp("apps", "Page", "id=$appid");
    echo "<a href=\"$url\">Up</a> to $app...";
}
if (isset($notes))
    echo $notes;

Somehow this code is allowing someone to see the entire contents of my database. I would’ve thought that mysql_real_escape_string would prevent that sort of attack? I could cast $id to an integer which should fix the issue, but I want to understand what I did wrong here, so I don’t keep repeating my mistake.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I think part of the problem is that you aren’t using quotes around $id, so an attacker may send a value for id that is 1 OR 1=1 and the SQL executed would be:

    select * from version where id=1 OR 1=1

    mysql_real_escape_string() escapes just NULLs, newlines, and quotes (\x00, \n, \r, \, ‘, ” and \x1a), so it is of little help if you don’t quote the variable.

    • 0