Bugtraq mailing list archives
Re: TWIG SQL query bugs
From: Steve Stavropoulos <steve () math upatras gr>
Date: Fri, 1 Jun 2001 02:03:12 +0300 (EEST)
On Wed, 30 May 2001, Ryan Fox wrote:
One more point here.Simply adding a quote is not the proper way to handle this in PHP.Not really. There are other malicious characters that can be used in sql statements. The one in the front of my mind is ";", used to terminate a query and begin a new one. Think of $IDNumber=";drop database foo". (This can be helped by using a database with proper access controls set up, so the user the web process normally connects as does not have permission to drop a database. I don't know if this product sets itself up like that by default). Good programming practice is to code a function specifically to strip any possible malicious characters out of strings, and wrap it around every variable put into a query, whether it should be user-supplied or not. Addslashes is a good function to call from your stripping function, but it should not be your only line of defense. Ryan Fox
The only malicious character in an SQL query executed from php is '. If you have for example: select * from kokos where user='$user' and $user=';drop database totos;' then the SQL query will be: select * from kokos where user=';drop database totos;' and that's ONE SQL statement. the ; inside the quotes is simply part of a STRING. The only way to get out of a string is with a ' and the ' gets stripped out with addslashes. If the user supplied variable isn't treated as a string but as part of the SQL statement then you have to escape ; as well. Steve Stavropoulos
Current thread:
- RE: TWIG SQL query bugs Jeff Dafoe (May 31)
- <Possible follow-ups>
- Re: TWIG SQL query bugs Steve Stavropoulos (Jun 01)
- Re: TWIG SQL query bugs kj (Jun 01)
- Re: TWIG SQL query bugs Gunther Birznieks (Jun 05)
- Re: TWIG SQL query bugs kj (Jun 05)
- Re: TWIG SQL query bugs Ben Gollmer (Jun 05)
- Re: TWIG SQL query bugs Gunther Birznieks (Jun 05)