Menu
▾
▴
Re: [phpesp-dev] Possible SQL Injection
|
From: Franky V. L. <lie...@te...> - 2008-09-25 13:22:26
|
IIRC the function _addslashes adds quotes itself, therefore no quotes are needed in the sql statement. I'll check this evening, but for now I would advise no action. Franky On Thu, Sep 25, 2008 at 3:05 PM, Matthew Gregg <mat...@gm...>wrote: > I received the message below, but don't have time to do a thorough > investigation at the moment. A quick look, seem like this is not a > problem. Anyone with more time please take a look. > > > File: phpESP/public/survey.php > > Lines: > > > > 15 $_name = _addslashes($_GET['name']); > > 25 $_sql = "SELECT id,title,theme FROM > > ".$GLOBALS['ESPCONFIG']['survey_table']." WHERE name = $_name"; > > > > Since the variable $_name is not embedded in quotes, the function > > addslashes will not prevent SQL injection attacks since the attacker > > does not > > need to use quotes. > > > > PoC: > > survey.php?name=1 and 1=0 union select null, username, password from > > designer > > > > Fix: > > 25 $_sql = "SELECT id,title,theme FROM > > ".$GLOBALS['ESPCONFIG']['survey_table']." WHERE name = '$_name'"; > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel > > |
