Any threats/SQL injections possible, when single-quote is being escaped?

2018-10-20 14:12:43

Let's say, when server-side application (like WordPress) applies add_magic_quotes to all GET/POST parameters ( $_GET = add_magic_quotes($_GET); ), so calling the url:

example.com/?id=a'b

the app now has safe variables, and executing the SQL query seems no longer harmful:

$id = $_GET['id']; //----> a\'b

$mysql->query("Select ..... where id='$id'");

Is there any case, when it may still be a security threat? Any examples, please? How that SQL query can be unsecure, as it have escaped \' character inside $id?

There are a couple of (possible) issues:

Everything that doesn't come from GET/POST is still a danger (possible sources may be files, emails, databases, etc).

SQL queries where you need to remove the quote or don't need a quote in the first place (eg in LIMIT, for id values (eg SELECT from x WHERE id = $_GET['x'])) or further transform the input (eg in IN).

Encoding issues (see eg addslashes bypass via multibyte characters).

Improper escaping (eg not es

  • There are a couple of (possible) issues:

    Everything that doesn't come from GET/POST is still a danger (possible sources may be files, emails, databases, etc).

    SQL queries where you need to remove the quote or don't need a quote in the first place (eg in LIMIT, for id values (eg SELECT from x WHERE id = $_GET['x'])) or further transform the input (eg in IN).

    Encoding issues (see eg addslashes bypass via multibyte characters).

    Improper escaping (eg not escaping \ as well).

    Removal of quotes in other places in the code (adding quotes on input mangles your data; in some places, you might require clean data, which you might then pass on and further process; somewhere down the line this might end up in a query).

    As you mention WordPress: That there are WordPress plugins which have SQL injection vulnerabilities should demonstrate that adding magic quotes is not good enough in all situations.

    Escaping as defense against SQL injection is just a mess (security as well as usability wise).

    2018-10-20 15:45:47