Isaac Gonzalez wrote:
at what level can this be exploited?
From the wiki interface?
Or from MySQL?
What if there is a firewall in front of MySQL?
For some general background on SQL injection attacks please see: http://en.wikipedia.org/wiki/SQL_injection
Always, *always* escape your input strings when manually constructing SQL statements. This should have been impressed upon you when you first started learning about SQL, but it's easy to pick up bad habits with the large amount of sloppy example code out there.
If using PHP and MySQL directly, use the mysql_real_escape_string() function. For documentation please see: http://www.php.net/mysql_real_escape_string
The code that was given above takes the data from a particular user record's user_options field and pastes it directly into an SQL statement. The existence of "'" or "" characters in that field could be abused to completely change the meaning of the resulting SQL statement when someone next runs that script, by closing the string literal and setting the value of other fields on every user record.
If the account being read from is secure, and nobody ever makes a mistake, you might never have a problem. Or you might just get SQL errors when you have a "'" in there by mistake. But it does increase your chance of problems to have this insecure system, and if you have that you likely have other insecure code written similarly.
-- brion vibber (brion @ pobox.com)