Menu

#4 SQL injection when magic_quotes_gpc = Off

v1.4
open
code (3)
5
2008-03-26
2006-08-16
Julian Ladisch
No

Some PHP installations have php.ini configured with
magic_quotes_gpc = Off
This allows SQL injection:
http://www.php.net/manual/en/security.database.sql-
injection.php

Example 1:
Enter the next line in the text field for a new board
message:
'), ('The bad guy', 'Secret day', 'Hi!', 'Foobar
You will get two new board messages. There should
be only one message that contains the ' characters.

Example 2:
Login with several users and create coordinate entries.
Login in English with the first user of coordinate
entries.
Create a webpage with this content:

<form method="POST" action="path/to/OSADS-
webdirectory">
<input type="hidden" name="id" value="0 or 1=1 --">
<input type="Submit" name="koorddel" value="Delete">
</form>

Go to that webpage and press Delete.
All coordinate entries will be deleted, even those of
other users!

A possible fix for any sql injection is to use
http://pear.php.net/manual/en/
package.database.mdb2.intro-execute.php
for all sql commands of the project.

Discussion

  • Julian Ladisch

    Julian Ladisch - 2006-08-16
    • assigned_to: nobody --> sebwan
     

  • tosch_de

    tosch_de - 2006-08-19

    Logged In: YES
    user_id=1578685

    A quick and dirty solution is described here:
    http://osads.sourceforge.net/viewtopic.php?p=260#260

     

  • Ronny Witzgall

    Ronny Witzgall - 2007-07-15

    Logged In: YES
    user_id=959753
    Originator: NO

    Its a kind project. look @ the files. You will find mass dirty code.

     

  • Yggdrasil

    Yggdrasil - 2008-03-26
    • milestone: --> v1.4
     

Log in to post a comment.

MongoDB Logo MongoDB