inyección sql para sesiones

I used mysql_real_escape_string() to prevent sql injection for the $field variable below. Should I use the same for $_SESSION['user_id']?

I can't imagine someone being able to change a value in the $_SESSION array. Can they?

$query = "SELECT `".mysql_real_escape_string($field)."` FROM `users` WHERE         `id`='".$_SESSION['user_id']."'";

preguntado el 01 de febrero de 12 a las 22:02

As long as you believe your $_SESSION['user_id'] is secure, you don't need to escape it (you have to look at your session handling code to make sure it's secure). It couldn't hurt to over-escape things though. -

Instead of escaping (and concatenating, which is always problematic), which may require certain global settings be turned off, you should probably be using parameterized queries. For one thing, it prevents future idiot developers from accidently concatenating un-escaped fields, or even having to go back and add escaping to previously 'safe' fields that may suddenly have user data in them. -

bobby-tables.com/php has examples on how to use parametrized queries. Learn to use them. -

4 Respuestas

They can't change the $_SESSION array, but your problem totally depends on how you initialized $_SESSION['id']. In a general way, you should always escape values in a SQL query. Don't try to adivinar whether or not values can be modified from an user input, just escape them.

Respondido el 02 de junio de 13 a las 09:06

Good idea - i'll escape the session in the query. also here's the code for where I initialized the $_SESSION['user_id']: $query = "SELECT id, email, password DE users DÓNDE email = '" .mysql_real_escape_string($email). "' AND password = '" . mysql_real_escape_string($password_hash). "'"; if ($query_run = mysql_query($query)) { $query_num_rows = mysql_num_rows($query_run); if ($query_num_rows==1) { echo 'You\'re logged in!'; $user_id = mysql_result($query_run, 0, 'id'); $_SESSION['user_id']=$user_id; header('Location: index.php'); } </code> - Pavan Katepalli

i have no idea how to get the above code to look better. sorry dude. - Pavan Katepalli

I didn't want you to paste your code, it is not necessary :) Just escape every values, and everything will be fine. - ldiqual

Client can't change your SESSION values.

But I believe someone who got access to your server can. (But at that point you should worry about other things)

Respondido 02 Feb 12, 02:02

If your session variables are ever populated with user variables, then your session variables are just as vulnerable to SQL injection as any other user-manipulated variable. You may also do this in future and forget to go back and escape the SQL query.

It causes no harm to escape everything and leave that escaping until the very last moment (i.e. when the value is being passed to the query); this avoids any other manipulations of the variables negating the effect of the escaping.

Respondido 02 Feb 12, 03:02

I used mysql_real_escape_string() to prevent sql injection

That's what you did wrong.

mysql_real_escape_string() does not prevent whatever injections by any means.

This function intended for string formatting and shouldn't be used for anything else.
To format an identifier you have to enclose it in backticks and escape the very backticks inside

Respondido el 20 de junio de 20 a las 12:06

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.