Try to inject your own site. Google for some sample injections, that sql, I used up there was form wikipedia, so try them out. Most likely, as long as you add slashes to your queries, you should be fine. I myself, do not know how to bypass the slashes.
Posted to help restrict the use of SQL queries in PHP applications.
function sql_quote($value)
{
if (get_magic_quotes_gpc())
{
$value = stripslashes( $value );
}
//check if this function exists
if (function_exists("mysql_real_escape_string"))
{
$value = mysql_real_escape_string($value);
}
//for PHP version < 4.3.0 or as a backup we use addslashes
else
{
$value = addslashes($value);
}
//return our final value based on which defense method we use above
return $value;
}
The script adds slashes to the SQL injection query. For example, a'; drop users; this would drop the table users, which would delete all users. However, when you add slashes to it, it would look like: a\'; drop users. This adds the blackslash to the query either ending up with an sql error or returning false, depending on the script.
function sql_quote($value)
{
if (get_magic_quotes_gpc())
{
$value = stripslashes( $value );
}
//check if this function exists
if (function_exists("mysql_real_escape_string"))
{
$value = mysql_real_escape_string($value);
}
//for PHP version < 4.3.0 or as a backup we use addslashes
else
{
$value = addslashes($value);
}
//return our final value based on which defense method we use above
return $value;
}
I haven't looked into the admin.php, but it shouldn't matter. To make it neat and clean, I would make a new file call it sqlquote.php and include: include("sqlquote.php"); to your index.php and go to line 26ish, and put $query = sql_quote($query); then it should work.
Re: SQL Injection - A simple way to prevent
Re: SQL Injection - A simple way to prevent
Hybrid Mode
