Bugtraq mailing list archives

Re: TWIG SQL query bugs

From: "Ben Efros" <Ben () Efros com>
Date: Mon, 28 May 2001 12:53:58 -0700

Simply adding a quote is not the proper way to handle this in PHP.

Consider the following:
$IDNumber is user-supplied.

$query="SELECT field,otherfield from table where ID='" . $IDNumber . "'";

What if $IDNumber were to be " ' OR otherfield=325 OR ID=' " (ignore the
double quotes...)
Your new query would be:
$query="SELECT field,otherfield from table where ID=' ' OR otherfield=325 OR
ID=' '";

This could produce results that break the security of your application.

There are two workarounds:
 1) Force number fields to be numbers via type casting.  Example:
$query="SELECT field,otherfield from table where ID='" . ((int)$IDNumber) .
"'";
 2) Always use addslashes() to any form posted variable.  Example:
$query="SELECT field,otherfield from table where ID='" .
addslashes($IDNumber) . "'";

PHP used to have an option to automatically use addslashes() on any variable
passed to it via POST or GET.  Please see your PHP.INI file and set the
appropriate setting for "magic_quotes_gpc"


----- Original Message -----
From: "Luki Rustianto" <luki () karet org>
To: <bugtraq () securityfocus com>
Sent: Monday, May 28, 2001 7:00 AM
Subject: TWIG SQL query bugs

I can't find the person who really in charge on developing twig, so I
mail about this bug to the person who announce new version of twig
about two month ago.


--------------------------------------------------------------------------
Subject:              Unquoted SQL query => potential damage
Software package:     TWIG Webmail
Software Site:        HTTP://twig.screwdriver.net
Version tested:       2.6.2 and below (used with MySQL, didn't check

others)

Platform:             Platform independent with PHP
Result:               Any user with valid email account can delete or

change

                      other user's data on mysql database.
Proof Of Concept:     Attached

Problem Description:
=====================
Unquoted SQL query string is a little mistake that could lead to potential
damage.
TWIG free PHP Webmail system is affected. As we know, mysql accept

unquoted

query string if the field type is int, mediumint, tinyint or like.

Current thread:

TWIG SQL query bugs Luki Rustianto (May 28)
- Re: TWIG SQL query bugs Ben Efros (May 30)
  - Re: TWIG SQL query bugs Ryan Fox (May 31)
    - Re: TWIG SQL query bugs Ben Laurie (May 31)