[Pugged] SQL Security
Stephen Langasek
ciapug@ciapug.org
Wed, 11 Sep 2002 16:09:55 -0500
On Wed, Sep 11, 2002 at 03:58:31PM -0500, Tim Perdue wrote:
> Exploitable:
> > $sql = "SELECT * FROM frmForums WHERE frmID = $f";
> Secure:
> > $sql = "SELECT * FROM frmForums WHERE frmID = '$f'";
Not secure.
$f = '1123\'; DROP TABLE frmForums; SELECT \'';
$sql = "SELECT * FROM frmForums WHERE frmID = '$f'";
gives you
SELECT * FROM frmForums WHERE frmID = '1123'; DROP TABLE frmForums; SELECT '';
this example doesn't work with all SQL backends, but you can probably find a
creative way to exploit the problem on your SQL db of choice.
To protect your database from hostile inputs, you should always use PHP's
addslashes() function (or PEAR DB's quote() method) to make sure all special
characters are escaped before being passed to the server.
Steve Langasek
postmodern programmer