Re: [phpesp-dev] Possible SQL Injection

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Isn't $_name quoted?  _addslashes does the quoting.

if(get_magic_quotes_gpc()) {
        function _addslashes($a)
{ return(db_qstr(stripslashes($a))); }
        function _stripslashes($a)  { return(stripslashes($a)); }
    } else {
        function _addslashes($a)    { return(db_qstr($a)); }
        function _stripslashes($a)  { return($a); }
    }

On Thu, 2008-09-25 at 09:24 -0400, Bishop Bettini wrote:
> Any parameters to an SQL query not going through the adodb quoting  
> mechanism is vulnerable to SQL injection attacks.  The proposed fix  
> (just enclosing in single quotes) is itself insufficient, as single  
> quotes can be fooled by prematurely closing the quote, inserting a  
> statement, then restarting, as in:
> 
> '; DELETE FROM respondent; '1=1
> 
> So, the problem is legitimate, the fix is not.  A bug (or task) should  
> be added to tracker to go through all SQL commands and ensure all  
> parameters are quoted, including this instance.  Thoughts?
> 
> bishop
> 
> 
> Quoting Matthew Gregg <mat...@gm...>:
> 
> > I received the message below, but don't have time to do a thorough
> > investigation at the moment.  A quick look, seem like this is not a
> > problem.  Anyone with more time please take a look.
> >
> >> File: phpESP/public/survey.php
> >> Lines:
> >>
> >> 15  $_name = _addslashes($_GET['name']);
> >> 25  $_sql = "SELECT id,title,theme FROM
> >> ".$GLOBALS['ESPCONFIG']['survey_table']." WHERE name = $_name";
> >>
> >> Since the variable $_name is not embedded in quotes, the function
> >> addslashes will not prevent SQL injection attacks since the attacker
> >> does not
> >> need to use quotes.
> >>
> >> PoC:
> >> survey.php?name=1 and 1=0 union select null, username, password from
> >> designer
> >>
> >> Fix:
> >> 25  $_sql = "SELECT id,title,theme FROM
> >> ".$GLOBALS['ESPCONFIG']['survey_table']." WHERE name = '$_name'";
> >
> >
> > -------------------------------------------------------------------------
> > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> > Build the coolest Linux based applications with Moblin SDK & win great prizes
> > Grand prize is a trip for two to an Open Source event anywhere in the world
> > http://moblin-contest.org/redirect.php?banner_id=100&url=/
> > _______________________________________________
> > phpESP-devel mailing list
> > php...@li...
> > https://lists.sourceforge.net/lists/listinfo/phpesp-devel
> >
> 
> 
> 