Posted by Dikkie Dik on 06/28/07 21:56

Not when the user name in the cookie is:

x" or 1=1-- x

(the comment signs are for supressing errors otherwise caused by the
closing quote).

Best regards.

jb wrote:
> Hi all, ive been tasked with reviewing a php app for sql injection
> vulnerabilities left behind by another developer. I'm not a php
> developer by trade, but ive tinkered with php, and I have a firm
> handle on what sql injection is in the context of other platforms.
> Ive seen various methods of prevention recommended, and unfortunately
> for me, our former developer appears to have used all of them in
> various parts of the app. Some use mysql_escape_string, some use
> myql_real_escape_string , some use a quote_smart function which checks
> the magic quotes setting and uses addslashes appropriately.
>
> But one has me a little confused, and i'm not sure if it is a valid
> method for blocking sql injection.
>
> where username = \"" . $_COOKIE["user"] . "\"";
>
> does wrapping the string in double quotes somehow tell mysql to treat
> the contents within as literal? Thus making it sql injection safe?
>

[Back to original message]