开发者

Does this PHP code open up a website to SQL Injection

I'm working on a web app and I came across this code snippit

$email=$_POST['email'];
$pass=$_POST['pass'];
$pass=md5($pass);
$query=mysql_real_escape_string($email,$link);
//echo $query."<br>";
$sql=mysql_query("SELEC开发者_如何转开发T pass FROM users WHERE email='".$email."'",$link);
if($row=mysql_fetch_array($sql))
{

I think the programmer intended $query=mysql_real_escape_string($email,$link); to be $email=mysql_real_escape_string($email,$link);

Do I have the right idea here?


Yes, you're absolutely right - just correct that part, like you said, by changing it to

 $email = mysql_real_escape_string($email, $link);

, and that will protect against SQL injection there.

On a side note, I suggest you use hash("sha512", xxx) instead of md5 because MD5 is becoming obsolete. If your column size doesn't allow for that though and you don't have the ability to change it, it's still OK.


Yes, $email is set, but then not filtered, it's used directly in the query. As you pointed out, it looks like an error as the filtered value is not being used in the query.


to prevent from blind SQL , wrap your POST data with tow more filters:

$email = mysql_real_escape_string(strip_tags(stripslashes($email)), $link)
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜