Programming Forums - View Single Post

TCStyle · Oct 25th, 2006, 5:32 PM

Firstly, this is not going to be used maliciously. It is for test purposes on a BBS that I'm coding.

How would I go about injecting an insert query? I'll use a generic code:

(Toggle Plain Text)

mysql_query("INSERT INTO data (fData, sData) VALUES('" + $fData + "', '" + $sData + "')");

Let's say the variables $fData and $sData come straight from my html forum without passing through any checks(no strip_tags() or get_magic_quotes_gpc() functions). Now, I know how to inject a select from query, but I don't know how I would inject this?

Any help is appreciated.

Oct 25th, 2006, 5:32 PM	#1
TCStyle Programmer Join Date: Jan 2005 Location: Albany, NY Posts: 43 Rep Power: 0	SQL injection on an insert query. Firstly, this is not going to be used maliciously. It is for test purposes on a BBS that I'm coding. How would I go about injecting an insert query? I'll use a generic code: (Toggle Plain Text) mysql_query("INSERT INTO data (fData, sData) VALUES('" + $fData + "', '" + $sData + "')"); mysql_query("INSERT INTO data (fData, sData) VALUES('" + $fData + "', '" + $sData + "')"); Let's say the variables $fData and $sData come straight from my html forum without passing through any checks(no strip_tags() or get_magic_quotes_gpc() functions). Now, I know how to inject a select from query, but I don't know how I would inject this? Any help is appreciated. __________________ meh...