-1 
<?php
error_reporting(E_ALL);
//ini_set('display_errors', 1);

$db_server = "localhost";
$db_name = "2";
$db_user = "root";
$db_passwd = "";

$connection = mysql_connect($db_server,$db_user,$db_passwd);
$db = mysql_select_db($db_name,$connection) or die("Couldn't Select Database");

if($_POST['text']){
    $result=mysql_query("SELECT * FROM login WHERE id='".  mysql_real_escape_string($_POST['text'])."'");
    while($row=mysql_fetch_array($result)){
        echo "<span>".$row['id']."</span>";
    }
}
?>
<form name="form" method="post" action="">
    <input type="text" id="text" name="text"/>
    <input type="submit" value="Submit"/>
</form>

Anyway to inject the mysql on this kind of structure? The database on with 1 Table 1 column with name id, just simple store "abc,bca,cab". Thanks.

Improve this question
2
  • You might want to take a look at this. If you're worrying about vulnerabilities you might as well stay away from mysql_* altogether. It's actually encouraged.
    – Revenant
    Commented Jun 15, 2016 at 7:47
  • I know using mysqli or pdo will be more security i guess so, but actually i think mysql structure more easier to write so i try on mysql to do server connection.
    – user6468131
    Commented Jun 15, 2016 at 7:50

1 Answer 1

Reset to default
4

Short answer, no.

But mysql_real_escape_string isn't the only thing that protects you here.

See :

$text = mysql_real_escape_string($_POST['text']); // $_POST['text'] == "1 OR 1=1"
$result = mysql_query("SELECT * FROM login WHERE id = $text");

You're not protected here, and an injection was made. So your quotes are protecting you against this here. You could also type cast (int) instead since it's an id.

As a side note, you shouldn't use mysql, but mysqli instead.

With mysqli you can use prepared statements that'll protect you against any of this, as it will perform the query with the dynamic part treated as a string at all time.

Improve this answer
4
  • So its depend on the way i write that can affect the security of my query?Actually i saw a lots of forum suggest not using mysql on php statement , so i try to prove something that mysql actually still can prevent the inject like the structure i wrote. By the way i still know mysqli and PDO is the best way to do on server-side query.I still agree on you that prepared statements on mysqli / PDO is more suitable.
    – user6468131
    Commented Jun 15, 2016 at 8:09
  • Yes of course, the way you write will affect the security of the query. You could actually have a whole secure application with mysql only. But that implies you doing same things again and again, and that means you only need to forget to "secure" your query manually once to be exploited. Any scanner will find this kind of breach in a breeze.
    – Steve Chamaillard
    Commented Jun 15, 2016 at 8:13
  • Using PDO instead of mysqli might be (or pretty much is) even better idea.
    – Andy
    Commented Jun 15, 2016 at 11:17
  • PDO is only a wrapper that uses mysqli in this case. So it doesn't matter.
    – Steve Chamaillard
    Commented Jun 15, 2016 at 12:20

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.