4

I'm working on an existing website trying to prevent SQL injections. Before $_GET['ID'] was unsanitized. 

$ID=mysql_real_escape_string($_GET['ID']);
$sQuery=mysql_query("select * from tbl_mini_website as s1, tbl_actor_merchant as me where s1.MERCHANT_ID=$ID AND s1.MERCHANT_ID=me.MERCHANT_ID");

If I put a ' at the end of the url, with mysql_real_escape_string() I get this from mysql_error():

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\' AND s1.MERCHANT_ID=me.MERCHANT_ID' at line 1

with out mysql_real_escape_string() I get:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND s1.MERCHANT_ID=me.MERCHANT_ID' at line 1

I'm not sure whats up with it? Any help would be greatly appreciated.

Improve this question
1
  • What if you echo the query before perform it? Commented Apr 7, 2011 at 0:32

4 Answers 4

Reset to default
6

If it is an id, numerical I assume, why don't you just cast it to an integer?

$ID = (int) $_GET['ID'];

The best advice I can give you is to check out PDO and use bound parameters.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Probably not else the orig solution would work for an integer field. I think Frank is correct to add the quotes.
@Dinah: they both correct. Frank Farmer in fact, that mysql_... doesn't add quotes, and alex - that numerics shouldn't be surrounded with quotes but used as numerics (this can cause casting/performance issues)
5

mysql_real_escape_string escapes, but doesn't quote.

Try:

$sQuery=mysql_query("select * from tbl_mini_website as s1, tbl_actor_merchant as me where s1.MERCHANT_ID='$ID' AND s1.MERCHANT_ID=me.MERCHANT_ID");

More generally, I tend to wrap both of these in a function, like:

function quoteValue($value) {
    return "'" . mysql_real_escape_string($value) . "'";
}

This is useful, because you may find down the line that you want more refined quoting behavior (especially when it comes to handling Unicode, control characters, etc.)

Improve this answer

1 Comment

Thank you!! I've been working on this for an hour and it was right under my nose.
2

It's because you're not quoting the variable.

Here's your query given the following inputs

$_GET['ID'] = "1";
$ID=mysql_real_escape_string($_GET['ID']);
SELECT ... where s1.MERCHANT_ID=1 ...

$_GET['ID'] = "1'"
$ID=mysql_real_escape_string($_GET['ID']);
SELECT ... where s1.MERCHANT_ID=1\' ...

$_GET['ID'] = "1'"
SELECT ... where s1.MERCHANT_ID=1' ...
Improve this answer

Comments

1

Phil Brown is right, but you shoul forget about old fashioned mysql_real_escape_string or mysql_connect() as they are very old and move to php`s PDO() where you cand use prepared statements, binds, fetch object any many many more functions.

I suggest read PDO documentation at http://php.net/manual/en/book.pdo.php if you want next generation dabatase manipulation and security from SQL Injection .

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.