[Pugged] SQL Security
Tim Perdue
ciapug@ciapug.org
Wed, 11 Sep 2002 16:14:48 -0500
--bygAmIonOAIqBxQB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Sep 11, 2002 at 04:09:55PM -0500, Stephen Langasek wrote:
> On Wed, Sep 11, 2002 at 03:58:31PM -0500, Tim Perdue wrote:
> > Exploitable:
> > > $sql =3D "SELECT * FROM frmForums WHERE frmID =3D $f";
> > Secure:
> > > $sql =3D "SELECT * FROM frmForums WHERE frmID =3D '$f'";
>=20
> Not secure.
>=20
> $f =3D '1123\'; DROP TABLE frmForums; SELECT \'';
> $sql =3D "SELECT * FROM frmForums WHERE frmID =3D '$f'";
>=20
> gives you
>=20
> SELECT * FROM frmForums WHERE frmID =3D '1123'; DROP TABLE frmForums; SEL=
ECT '';
> To protect your database from hostile inputs, you should always use PHP's
> addslashes() function (or PEAR DB's quote() method) to make sure all spec=
ial
> characters are escaped before being passed to the server.
Right, which is why your example doesn't work. Either a person is using the
automatic addslashes, or they are doing it manually or they can't reliably =
run
their site, short of putting big red warnings that warn against putting a '=
in
any field on the site.
Tim
--=20
Founder - PHPBuilder.com / Geocrawler.com / SourceForge
GPG Public Key: http://www.perdue.net/personal/pgp.php
Perdue, Inc. / Immortal LLC
515-554-9520
--bygAmIonOAIqBxQB
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9f7JILxmgedYDVWQRAi+CAJ4g/XqJyHeKh/YB6DGvT0WCZJIE9wCdGCOb
8zHzKJLGLJHR1kdsTJ3qRKM=
=Tv22
-----END PGP SIGNATURE-----
--bygAmIonOAIqBxQB--