Recently one hacker tried to slow my website using sleep injection. Although we are

Question

0

Asked: June 17, 20262026-06-17T20:46:06+00:00 2026-06-17T20:46:06+00:00

Recently one hacker tried to slow my website using sleep injection. Although we are

0

Recently one hacker tried to slow my website using sleep injection. Although we are using precautions like mysql_real_escape_string() to cover most of vulnerable inputs. We are passing id of the product through query string and it makes the command as:

$id = mysql_real_escape_string($_REQUEST['id']);
$qry = "Select * from products where id = ".$id;

but hacker tried to provide input as

?id=3 and sleep(4)

and query becomes

Select * from products where id = 3 and sleep(4);

Although there are some possible solutions like

Check if the product id is numeric or not
Remove word sleep from input using some customized function

Is there any other method to stop this? What is the best method to prevent sleep injections?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-17T20:46:07+00:00

Editorial Team

2026-06-17T20:46:07+00:00Added an answer on June 17, 2026 at 8:46 pm

You are not escaping correctly. mysql_real_escape_string is for escaping SQL string syntax correctly, but you are simply embedding the value as bare value, not as SQL string. You need:

$qry = "SELECT * FROM products WHERE id = '$id'";

Note the quotes around the id in the query.

If the id is numeric though, casting to a number would be more sensible:

$id = (int)$_GET['id'];

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Recently one hacker tried to slow my website using sleep injection. Although we are

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply