Fszeker Fszeker - 1 year ago 58
PHP Question

Is this code escapable or is it vulnarable to SQL Injection

I'm running some tests for this login system im writing with my friend and we already had written our code with escaping, and not preparing. We're making sure it is invulnarable to anything put as a post_user and post_pass variable.
Can you please check?

$_POST['post_user'] = mysql_real_escape_string($_POST['post_user']);

$_POST['post_pass'] = mysql_real_escape_string($_POST['post_pass']);

$query = mysql_num_rows(mysql_query("SELECT * FROM `users` WHERE
`user`='".$_POST['post_user']."' AND `pass`='".md5($_POST['post_pass'])."' AND

if($query == 1) {

$_SESSION[$this->host().'-us_user'] = $_POST['post_user'];

$_SESSION[$this->host().'-us_pass'] = md5($_POST['post_pass']);

$_SESSION[$this->host().'-us_token'] = $this->generateToken(16);


Answer Source

There are 2 faults with this approach, both coming from a single delusion.

mysql_real_escape_string doesn't "protect" your data. So, it should never be used for the purpose of whatever "sanitizing". Using this function like this, you are exposing yourself to two not immediate but quite possible dangers.

  1. Escaping password before hashing it may spoil the resulting hash.
  2. Escaping any value beside SQL strings will result in injection.

That's why you should always use parameterizing instead of "escaping". Just because parameterizing is doing its job, while "escaping" is used out of mere confusion.
I wrote a through explanation on the whole matter with escaping / parameterizing in a article you are welcome to read.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download