sql injection in comment field
I have a comment form that consists of 2 fields (title and c开发者_JS百科omment). Database contains 3 columns id, title and comment. Comment is displayed based on it's title
like domain.com/index.php?id=sometitle
The title field is properly secured for sql injection using mysql_real_escape_string, but comment field which is a textarea is left open without escaping. I can escape it, however i'm wondering what harm can it do to just leave it without using mysql_real_escape_string on that field knowing that title is already escaped and it's how the output is retrieved.
What would happen if someone typed this into your textarea.
some comment');DELETE FROM COMMENTS;--
If your query to insert the comment were something like
INSERT INTO Comments(Title,Comment) VALUES('$title','$comments');
then you would have a problem. the resulting query would be
INSERT INTO Comments(Title,Comment) VALUES('some title','some comment');DELETE FROM COMMENTS;--'
or to lay it out in a more readable format
INSERT INTO Comments(Title,Comment) VALUES('some title','some comment');
DELETE FROM COMMENTS;--'
the --' at the end just creates a comment, to get rid of any extra SQL that would make it not parse properly.
All unescaped strings can be used to inject SQL.
If someone uses SQL injection in the textarea, it will run when the data is submitted to your database, which is why you escape it first.
Escape it. Assuming users are the ones posting comments, you are vulnerable from injection in the comment section, which would be executed one they post the form, not request to view the comment.
DO NOT leave that field un-escaped. It doesn't matter what the field is being linked with. By the time the query is formed the injector can be returning password fields etc.
To really clear out ANY attempt at using sql injection you need to be using stored procedures. If you have access to it you should be using PDO.
精彩评论