quirky query 1

[TheConeHead]

I am submitting a query via a form:

<form name="printf" method="post" action="page.php" target="_blank">
   <input type="hidden" name="st" value="SELECT id, fname, field, AES_DECRYPT(lname,'key') as slname, AES_DECRYPT(uname,'key') as suname,  AES_DECRYPT(pword,'key') as spword FROM table where AES_DECRYPT(uname,'key') = 'name' AND AES_DECRYPT(pword,'key') = 'pword'">
   <input type="hidden" name="tr" value="SELECT * FROM table where id = '9'">
</form>

when I go to the new page from this form being submitted, the query's turn into:

SELECT id, fname, field, AES_DECRYPT(lname,\'key\') as slname, AES_DECRYPT(uname,\'key\') as suname, AES_DECRYPT(pword,\'key\') as spword FROM table where AES_DECRYPT(uname,\'key\') = \'name\' AND AES_DECRYPT(pword,\'key\') = \'pword\'

and

SELECT * FROM table where id = \'9\'

For some reason it is putting the \ in front of the ' - do I need to strip these out or can I get it passed correctly?

 

[ericbrunson]

First of all, you probably have "magic_quotes" turned on. I personally hate them and always turn them off.

More importantly, that is a horrible, horrible, horrible practice. Anyone can view the source of your page and construct a new POST that will run arbitrary SQL in your database. Like, "delete * from table".

 

[TheConeHead]

thanks for the tip