SQL injection that gets around mysql_real_escape_string()

Question

Is there any SQL injection possibility still while using mysql_real_escape_string() function?

Consider this sample situation. SQL is constructed in PHP like below:

$login = mysql_real_escape_string(GetFromPost('login'));
$password = mysql_real_escape_string(GetFromPost('password'));

$sql = "SELECT * FROM table WHERE login='$login' AND password='$password'";

Some people told me that code like that is still dangerous and possible to hack also with mysql_real_escape_string() function used. Although I cannot think of any possible exploit?

Classic injections like this:

aaa' OR 1=1 --

Also does not work.

Does anybody know any possible injection that would get through the PHP code above?

Answer 1

You can consider the below query:

$iId = mysql_real_escape_string("1 OR 1=1");    
$sSql = "SELECT * FROM table WHERE id = $iId";

mysql_real_escape_string() will not defend you against this. The truth that you use single quotes (' ') around your variables inside your query is what defends you against this. The following is also an option:

$iId = (int)"1 OR 1=1";
$sSql = "SELECT * FROM table WHERE id = $iId";

 Want to be a SQL expert? Join Intellipaat's SQL Training program to learn more.