Security Basics mailing list archives
Re: Overwriting an uninitialized local variable in PHP
From: "Tyler Krpata" <krpatasec () gmail com>
Date: Thu, 22 Feb 2007 09:19:14 -0500
Technically it's not "uninitialized" as you would think of in some other languages. Variables in PHP that are not explicitly set have default values. Of course, and as usual, all bets are off if register_globals is enabled. On 2/21/07, Kellox <kellox () my-mail ch> wrote:
I'm addressing a PHP with a MySQL DB system. A PHP script looks like this: $sort_mode = $_GET['sort']; if($sort_mode = 'ascendend') $query = "...."; else if($sort_mode = 'descendend') $query = "...."; ... mysql_query($query) or die(); This script does actually contain some serious problem because $sort_mode is not sanitized. But this variable is never used in a SQL query, so even if you modify the GET Parameter to become a SQL injection it won't be executed by the DB because this variable is not passed to the engine. The actual variable containing the query is $query. But since there's no else clause, $query is uninitialized, when you pass a string to the variable $sort_mode that is not contained in the if-then-else statement (e.g. $sort_mode = 'does_not_exist') My question is if there is a way to "initialize" the variable $query myself as an attacker from the outside, so that I can write my on SQL query. This question is related to a webapp review I'm doing at the moment. Thx in advance!
--------------------------------------------------------------------------- This list is sponsored by: BigFixIf your IT fails, you're out of business - or worse. Arm your enterprise with BigFix, the single converged IT security and operations engine. BigFix enables continuous discovery, assessment, remediation, and enforcement for complex and distributed IT environments in real-time from a single console. Think what's next. Think BigFix.
http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ITNext/ ---------------------------------------------------------------------------
Current thread:
- ssh key authentication Jorge JJ (Feb 20)
- Re: ssh key authentication Kelly Martin (Feb 20)
- Overwriting an uninitialized local variable in PHP Kellox (Feb 21)
- Re: Overwriting an uninitialized local variable in PHP Tyler Krpata (Feb 22)
- Re: Overwriting an uninitialized local variable in PHP Robert Larsen (Feb 22)
- Re: Overwriting an uninitialized local variable in PHP Anton Dobrin (Feb 23)
- Overwriting an uninitialized local variable in PHP Kellox (Feb 21)
- Re: ssh key authentication Kelly Martin (Feb 20)
- Re: ssh key authentication Robert Larsen (Feb 21)