[Pugged] SQL Security
Tim Perdue
ciapug@ciapug.org
Wed, 11 Sep 2002 15:58:31 -0500
--Zs/RYxT/hKAHzkfQ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Exploitable:
> $sql =3D "SELECT * FROM frmForums WHERE frmID =3D $f";
Secure:
> $sql =3D "SELECT * FROM frmForums WHERE frmID =3D '$f'";
I noticed a lot of people have posted SQL which does not surround the
variables ($f in this case) with '' marks. I think this opens up a potential
exploit in your code.
Without the '' around your variables, what is to stop someone from making t=
he
variable do something malicicious, such as=20
foo.php?f=3D;DROP+TABLE+important_data;
foo.php?f=3D;UPDATE+permissions+SET+is_admin=3Dtrue+WHERE+user_name=3DHACKE=
R;
There's a large number of scenarios like that, if you're not careful they c=
an
be exploited. Simply wrapping the variables *always* in '' should thwart
everything.
Tim
--=20
Founder - PHPBuilder.com / Geocrawler.com / SourceForge
GPG Public Key: http://www.perdue.net/personal/pgp.php
Perdue, Inc. / Immortal LLC
515-554-9520
--Zs/RYxT/hKAHzkfQ
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9f653LxmgedYDVWQRAvevAJwKgNx1/B/iyMZpYEx6umQPZtTWegCfQniu
cN6A6BiSb0zcjxODRmMess0=
=GS7U
-----END PGP SIGNATURE-----
--Zs/RYxT/hKAHzkfQ--