Re: [phpesp-dev] Possible SQL Injection

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Regarding my last email, I skipped over the fact that $_name is going  
through _addslashes(), so my point about the bug being valid is false.

Here is the call order:

_addslashes() calls db_qstr()
db_qstr() calls ADODB::qstr()
ADODB::qstr() does the proper quoting to prevent SQL injection attacks.

So, as long as the variables are going through _addslashes(), then  
there is no bug.

bishop

Quoting Franky Van Liedekerke <lie...@te...>:

> IIRC the function _addslashes adds quotes itself, therefore no quotes are
> needed in the sql statement. I'll check this evening, but for now I would
> advise no action.
>
> Franky
>
> On Thu, Sep 25, 2008 at 3:05 PM, Matthew Gregg   
> <mat...@gm...>wrote:
>
>> I received the message below, but don't have time to do a thorough
>> investigation at the moment.  A quick look, seem like this is not a
>> problem.  Anyone with more time please take a look.
>>
>> > File: phpESP/public/survey.php
>> > Lines:
>> >
>> > 15  $_name = _addslashes($_GET['name']);
>> > 25  $_sql = "SELECT id,title,theme FROM
>> > ".$GLOBALS['ESPCONFIG']['survey_table']." WHERE name = $_name";
>> >
>> > Since the variable $_name is not embedded in quotes, the function
>> > addslashes will not prevent SQL injection attacks since the attacker
>> > does not
>> > need to use quotes.
>> >
>> > PoC:
>> > survey.php?name=1 and 1=0 union select null, username, password from
>> > designer
>> >
>> > Fix:
>> > 25  $_sql = "SELECT id,title,theme FROM
>> > ".$GLOBALS['ESPCONFIG']['survey_table']." WHERE name = '$_name'";
>>
>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>> challenge
>> Build the coolest Linux based applications with Moblin SDK & win great
>> prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> phpESP-devel mailing list
>> php...@li...
>> https://lists.sourceforge.net/lists/listinfo/phpesp-devel
>>
>>
>

-- 
Bishop Bettini
ideacode, Inc.
(main) +1 919 341 5170 / (fax) +1 919 521 4100

Visit us on the web at:
ideacode.com          Professional software research and development
reviewmysoftware.com  Improve sales! Review your software before you release
bytejar.com           Solutions to those annoying development problems