Possible Duplicate:
What does mysql_real_escape_string() do that addslashes() doesn't?
I have been reviewing articles on how/why PHP's addslashes function is vulnerable to sql injection. Everything I have read says there are problems with specific mysql encoding types (default-character-set=GBK), or there are problems if magic_quotes are enabled. However, I have been unable break out of the addslashes() function in this scenario and do something malicious - such as login as an administrator.
$user = addslashes($_POST['user']);
$pass = sha1($_POST['pass']);
$sql = "SELECT * FROM admins WHERE user = '".$user."' AND `pass` = '".$pass."'";
$nums = mysql_num_rows(mysql_query($sql));
if($nums==1){
$_SESSION['admin_user'] = $user;
$_SESSION['admin_pass'] = $pass;
This is a (minor) security audit for a client and I will recommend that they utilize PDO, but I need to display their current vulnerability.
References:
Shiflett shows a full working exploit in his blog entry. The code you show above doesn't seem to be following that example as it's not using the character set that exhibits the vulnerability. Still, the hole definitely exists.
Even if it happens to be safe in the specific scenario, the practice of using addslashes()
is still dangerous and Shiflett's article should give you enough material to argue with, even though the circumstances the exploit requires are very esoteric, and they're not entirely trivial to reproduce.
If your client doesn't accept the danger without seeing a live exploit on their specific system, then they're not worth doing a security audit for.