Re: [phpesp-dev] Possible SQL Injection

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I think a bug for this is a good idea.  I know many moons ago I did
this, but lots of code has changed.

On Thu, 2008-09-25 at 09:32 -0400, Bishop Bettini wrote:
> Yeah, I missed the fact that $_name went through _addslashes() in the  
> original email.  I just now followed up with a trace verifying  
> _addslashes() quotes properly.
> 
> Nonetheless, I'd advise adding the incoming message as a bug, then  
> marking it as not a bug, so we know this issue's been handled.
> 
> bishop
> 
> Quoting Matthew Gregg <mat...@gm...>:
> 
> > Isn't $_name quoted?  _addslashes does the quoting.
> >
> > if(get_magic_quotes_gpc()) {
> >         function _addslashes($a)
> > { return(db_qstr(stripslashes($a))); }
> >         function _stripslashes($a)  { return(stripslashes($a)); }
> >     } else {
> >         function _addslashes($a)    { return(db_qstr($a)); }
> >         function _stripslashes($a)  { return($a); }
> >     }
> >
> > On Thu, 2008-09-25 at 09:24 -0400, Bishop Bettini wrote:
> >> Any parameters to an SQL query not going through the adodb quoting
> >> mechanism is vulnerable to SQL injection attacks.  The proposed fix
> >> (just enclosing in single quotes) is itself insufficient, as single
> >> quotes can be fooled by prematurely closing the quote, inserting a
> >> statement, then restarting, as in:
> >>
> >> '; DELETE FROM respondent; '1=1
> >>
> >> So, the problem is legitimate, the fix is not.  A bug (or task) should
> >> be added to tracker to go through all SQL commands and ensure all
> >> parameters are quoted, including this instance.  Thoughts?
> >>
> >> bishop
> >>
> >>
> >> Quoting Matthew Gregg <mat...@gm...>:
> >>
> >> > I received the message below, but don't have time to do a thorough
> >> > investigation at the moment.  A quick look, seem like this is not a
> >> > problem.  Anyone with more time please take a look.
> >> >
> >> >> File: phpESP/public/survey.php
> >> >> Lines:
> >> >>
> >> >> 15  $_name = _addslashes($_GET['name']);
> >> >> 25  $_sql = "SELECT id,title,theme FROM
> >> >> ".$GLOBALS['ESPCONFIG']['survey_table']." WHERE name = $_name";
> >> >>
> >> >> Since the variable $_name is not embedded in quotes, the function
> >> >> addslashes will not prevent SQL injection attacks since the attacker
> >> >> does not
> >> >> need to use quotes.
> >> >>
> >> >> PoC:
> >> >> survey.php?name=1 and 1=0 union select null, username, password from
> >> >> designer
> >> >>
> >> >> Fix:
> >> >> 25  $_sql = "SELECT id,title,theme FROM
> >> >> ".$GLOBALS['ESPCONFIG']['survey_table']." WHERE name = '$_name'";
> >> >
> >> >
> >> > -------------------------------------------------------------------------
> >> > This SF.Net email is sponsored by the Moblin Your Move   
> >> Developer's challenge
> >> > Build the coolest Linux based applications with Moblin SDK & win   
> >> great prizes
> >> > Grand prize is a trip for two to an Open Source event anywhere in  
> >>  the world
> >> > http://moblin-contest.org/redirect.php?banner_id=100&url=/
> >> > _______________________________________________
> >> > phpESP-devel mailing list
> >> > php...@li...
> >> > https://lists.sourceforge.net/lists/listinfo/phpesp-devel
> >> >
> >>
> >>
> >>
> >
> >
> 
> 
> 