Re: [Pugged] SQL Security

Stephen Langasek on Wed, 11 Sep 2002 16:10:39 -0500

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [Pugged] SQL Security

To: ciapug@xxxxxxxxxx
Subject: Re: [Pugged] SQL Security
From: Stephen Langasek <vorlon@xxxxxxxxxxxxxx>
Date: Wed, 11 Sep 2002 16:09:55 -0500
In-reply-to: <20020911155831.F25391@mail.perdue.net>
List-archive: <http://cialug.org/pipermail/ciapug/>
List-help: <mailto:ciapug-request@ciapug.org?subject=help>
List-id: <ciapug.ciapug.org>
List-post: <mailto:ciapug@ciapug.org>
List-subscribe: <http://cialug.org/mailman/listinfo/ciapug>,<mailto:ciapug-request@ciapug.org?subject=subscribe>
List-unsubscribe: <http://cialug.org/mailman/listinfo/ciapug>,<mailto:ciapug-request@ciapug.org?subject=unsubscribe>
References: <20020911155831.F25391@mail.perdue.net>
Reply-to: ciapug@xxxxxxxxxx
Sender: ciapug-admin@xxxxxxxxxx
User-agent: Mutt/1.3.28i

On Wed, Sep 11, 2002 at 03:58:31PM -0500, Tim Perdue wrote:
> Exploitable:
> >       $sql = "SELECT * FROM frmForums WHERE frmID = $f";
> Secure:
> >       $sql = "SELECT * FROM frmForums WHERE frmID = '$f'";

Not secure.

$f = '1123\'; DROP TABLE frmForums; SELECT \'';
$sql = "SELECT * FROM frmForums WHERE frmID = '$f'";

gives you

SELECT * FROM frmForums WHERE frmID = '1123'; DROP TABLE frmForums; SELECT '';

this example doesn't work with all SQL backends, but you can probably find a
creative way to exploit the problem on your SQL db of choice.

To protect your database from hostile inputs, you should always use PHP's
addslashes() function (or PEAR DB's quote() method) to make sure all special
characters are escaped before being passed to the server.

Steve Langasek
postmodern programmer
_______________________________________________
Ciapug mailing list
Ciapug@xxxxxxxxxx
http://cialug.org/mailman/listinfo/ciapug

Index(es):
- Date
- Thread