Is SQL Injection possible with mysql_real_escape_string when variables in the query have no quotes around them?

Take for example this

$username = mysql_real_escape_string($_GET['username']);
$password = mysql_real_escape_string($_GET['password']);
$sql = "SELECT * FROM users WHERE username = $username AND password = $password";

If there are no quotes around $use开发者_高级运维rname and $password, is injection still possible ?

If there are no quotes around $username and $password, is injection still possible ?

Yes. mysql_real_escape_string() prevents only escaping from the quotes in a string.

Without surrounding quotes, mysql_real_escape_string() is useless.

Yes. Trivially, submit the username as username and the password as password. Congratulations, you're in. That's because this expands to:

$sql = "SELECT * FROM users WHERE username = username AND password = password";

It will select any row where the username column equals the username column (same for password).

Of course, this code also fails for ordinary logins, so it should be caught pretty quickly. If you use any username or password that is not a database construct (column, function call, etc.), it will fail.

Without the quotes, the user-submitted data will be seen as field references, and/or invalid SQL.

Consider a username of username. A proper query would be:

SELECT ... FROM ... WHERE username='username'

and only match if there really is a user whose name is "username".

Without the quotes, it becomes:

SELECT ... FROM ... WHERE username=username

which would match ALL non-null records in the table.

Now consider a 2-part username: John doe

SELECT ... FROM ... WHERE username=John doe

The DB server will try to compare the username field against a field name 'John', which most likely doesn't exist. Then there's this "doe" thing in there which is not a field name, not an SQL key word, so is a syntax error.

Now consider a username: 1 or 1=1

SELECT ... FROM ... WHERE username=1 or 1=1

again, this will ALWAYS return true and match ALL rows, because "1=1" will always be true.

mysql_real_escape_string() only guarantees that any data you pass through it will not "break" a PROPERLY CONSTRUCTED query. If the query you're inserting the escaped data into is NOT properly constructed, then all bets are off.