Menu
▾
▴
[phpesp-dev] [ phpesp-Bugs-2128464 ] Unquoted variable ($_name) allows SQL injection attack
|
From: SourceForge.net <no...@so...> - 2008-09-25 13:54:43
|
Bugs item #2128464, was opened at 2008-09-25 09:54 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=108956&aid=2128464&group_id=8956 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: SQL Group: None Status: Open Resolution: None Priority: 1 Private: No Submitted By: bishop (bishopb) Assigned to: Nobody/Anonymous (nobody) Summary: Unquoted variable ($_name) allows SQL injection attack Initial Comment: Reported via email to Matthew Gregg: File: phpESP/public/survey.php Lines: 15 $_name = _addslashes($_GET['name']); 25 $_sql = "SELECT id,title,theme FROM " $GLOBALS['ESPCONFIG']['survey_table']." WHERE name = $_name"; Since the variable $_name is not embedded in quotes, the function addslashes will not prevent SQL injection attacks since the attacker does not need to use quotes. PoC: survey.php?name=1 and 1=0 union select null,username, password from designer Fix: 25 $_sql = "SELECT id,title,theme FROM ".$GLOBALS['ESPCONFIG']['survey_table']." WHERE name = '$_name'"; ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=108956&aid=2128464&group_id=8956 |
