Question

We seem to have located an SQL injection vulnerability on one of our websites. The SQL query they are running is as follows:

select * from jobs where jobs.status='on' and industry_id=''

If the user changes the value of industry (in the URL) to the below value, then it outputs the name of the database on the search results.

-1' UNION SELECT concat(user(),0x3a3a,database()),2,3,4,5,6,7,8,9,10,11,12,13,14-- -

The PHP code that builds this part of the SQL query is:

$extra_sql = "and industry_id='".mysql_real_escape_string($_GET['industry'])."'";

I thought that if a value was escaped using mysql_real_escape_string() then this wouldn't be possible, so therefore I have a few questions:

How can we fix this security problem?
Is there a quick way to fix this other than to go through every single SQL query?

Thanks in advance.

Answer 1

change it into this

$industryID = (int) trim($_GET['industry']);

$extra_sql = "and industry_id='".$industryID."'";