Menu
▾
▴
Re: [phpesp-dev] Possible SQL Injection
|
From: Bishop B. <ph...@id...> - 2008-09-25 13:51:17
|
Any parameters to an SQL query not going through the adodb quoting mechanism is vulnerable to SQL injection attacks. The proposed fix (just enclosing in single quotes) is itself insufficient, as single quotes can be fooled by prematurely closing the quote, inserting a statement, then restarting, as in: '; DELETE FROM respondent; '1=1 So, the problem is legitimate, the fix is not. A bug (or task) should be added to tracker to go through all SQL commands and ensure all parameters are quoted, including this instance. Thoughts? bishop Quoting Matthew Gregg <mat...@gm...>: > I received the message below, but don't have time to do a thorough > investigation at the moment. A quick look, seem like this is not a > problem. Anyone with more time please take a look. > >> File: phpESP/public/survey.php >> Lines: >> >> 15 $_name = _addslashes($_GET['name']); >> 25 $_sql = "SELECT id,title,theme FROM >> ".$GLOBALS['ESPCONFIG']['survey_table']." WHERE name = $_name"; >> >> Since the variable $_name is not embedded in quotes, the function >> addslashes will not prevent SQL injection attacks since the attacker >> does not >> need to use quotes. >> >> PoC: >> survey.php?name=1 and 1=0 union select null, username, password from >> designer >> >> Fix: >> 25 $_sql = "SELECT id,title,theme FROM >> ".$GLOBALS['ESPCONFIG']['survey_table']." WHERE name = '$_name'"; > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel > -- Bishop Bettini ideacode, Inc. (main) +1 919 341 5170 / (fax) +1 919 521 4100 Visit us on the web at: ideacode.com Professional software research and development reviewmysoftware.com Improve sales! Review your software before you release bytejar.com Solutions to those annoying development problems |
