Can I do SQL injection to this code?

I'm still learning about SQL injection, but always the best way for me was using examples, so this is part of my code:

$sql = "INSERT INTO `comments` (`id`, `idpost`, `comment`, `datetime`, `author`, `active`) 
        VALUES (NULL, 开发者_如何学编程'" . addslashes($_POST['idcomment']) . "', '" . 
        addslashes($_POST['comment']) . "', NOW(), '" . 
        addslashes($_POST['name']) . "', '1');";

  mysql_query($sql);

Knowing that all the POST vars are entered by the user, can you show me how can i make an injection to this script? so i can understand more about this vulnerability. Thanks!

my database server is MySQL.

Don't use addslashes(), always use mysql_real_escape_string(). There are known edge cases where addslashes() is not enough.

If starting something new from scratch, best use a database wrapper that supports prepared statements like PDO or mysqli.

Most of the other answers seem to have missed the point of this question entirely.

That said, based on your example above (and despite your code not following the best practice use of mysql_real_escape_string()) it is beyond my ability to inject anything truly detrimental when you make use of addslashes().

However, if you were to omit it, a user could enter a string into the name field that looks something like:

some name'; DROP TABLE comments; --

The goal is to end the current statement, and then execute your own. -- is a comment and is used to make sure nothing that would normally come after the injected string is processed.

However (again), it is my understanding that MySQL by default automatically closes the DB connection at the end of a single statement's execution. So even if I did get so far as to try and drop a table, MySQL would cause that second statement to fail.

But this isn't the only type of SQL injection, I would suggest reading up some more on the topic. My research turned up this document from dev.mysql.com which is pretty good: http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf

Depending on what happens to the data once it goes to the database, I may not want to inject any SQL at all. I may want to inject some HTML/JavaScript that gets run when you post the data back out to a webpage in a Cross-Site Scripting (XSS) attack. Which is also something to be aware of.

As said before, for strings, use mysql_real_escape_string() instead of addslashes() but for integers, use intval().

/* little code cleanup */

$idcomment = intval($_POST['idcomment']);
$comment = mysql_real_escape_string($_POST['comment']);
$name = mysql_real_escape_string($_POST['name']);

$sql = "INSERT INTO comments (idpost, comment, datetime, author, active)
        VALUES ($idcomment, '$comment', NOW(), '$name', 1)";

mysql_query($sql);

Addslashes handles only quotes.

But there are some more important cases here:

Be careful on whether you use double or single quotes when creating the string to be escaped:

$test = 'This is one line\r\nand this is another\r\nand this line has\ta tab';

echo $test;
echo "\r\n\r\n";
echo addslashes($test);

$test = "This is one line\r\nand this is another\r\nand this line has\ta tab";

echo $test;
echo "\r\n\r\n";
echo addslashes($test);

Another one:

In particular, MySQL wants \n, \r and \x1a escaped which addslashes does NOT do. Therefore relying on addslashes is not a good idea at all and may make your code vulnerable to security risks.

And one more:

Be very careful when using addslashes and stripslashes in combination with regular expression that will be stored in a MySQL database. Especially when the regular expression contain escape characters!

To store a regular expression with escape characters in a MySQL database you use addslashes. For example:

$l_reg_exp = addslashes( �[\x00-\x1F]� );

After this the variable $l_reg_exp will contain: [\\x00-\\x1F].

When you store this regular expression in a MySQL database, the regular expression in the database becomes [\x00-\x1F].

When you retrieve the regular expression from the MySQL database and apply the PHP function stripslashes(), the single backslashes will be gone!

The regular expression will become [x00-x1F] and your regular expression might not work!

Remember, that the magic may happen in:

• addslashes which may miss something
• before adding to database
• after retrieving from database

Your example is just an excerpt. The real problem might not be visible here yet.

(based on comments from php.net which are very often more valuable than the manual itself )