Bugtraq mailing list archives
Re: TWIG SQL query bugs
From: "Ben Efros" <Ben () Efros com>
Date: Mon, 28 May 2001 12:53:58 -0700
Simply adding a quote is not the proper way to handle this in PHP. Consider the following: $IDNumber is user-supplied. $query="SELECT field,otherfield from table where ID='" . $IDNumber . "'"; What if $IDNumber were to be " ' OR otherfield=325 OR ID=' " (ignore the double quotes...) Your new query would be: $query="SELECT field,otherfield from table where ID=' ' OR otherfield=325 OR ID=' '"; This could produce results that break the security of your application. There are two workarounds: 1) Force number fields to be numbers via type casting. Example: $query="SELECT field,otherfield from table where ID='" . ((int)$IDNumber) . "'"; 2) Always use addslashes() to any form posted variable. Example: $query="SELECT field,otherfield from table where ID='" . addslashes($IDNumber) . "'"; PHP used to have an option to automatically use addslashes() on any variable passed to it via POST or GET. Please see your PHP.INI file and set the appropriate setting for "magic_quotes_gpc" ----- Original Message ----- From: "Luki Rustianto" <luki () karet org> To: <bugtraq () securityfocus com> Sent: Monday, May 28, 2001 7:00 AM Subject: TWIG SQL query bugs
I can't find the person who really in charge on developing twig, so I mail about this bug to the person who announce new version of twig about two month ago. -------------------------------------------------------------------------- Subject: Unquoted SQL query => potential damage Software package: TWIG Webmail Software Site: HTTP://twig.screwdriver.net Version tested: 2.6.2 and below (used with MySQL, didn't check
others)
Platform: Platform independent with PHP Result: Any user with valid email account can delete or
change
other user's data on mysql database. Proof Of Concept: Attached Problem Description: ===================== Unquoted SQL query string is a little mistake that could lead to potential damage. TWIG free PHP Webmail system is affected. As we know, mysql accept
unquoted
query string if the field type is int, mediumint, tinyint or like.
Current thread:
- TWIG SQL query bugs Luki Rustianto (May 28)
- Re: TWIG SQL query bugs Ben Efros (May 30)
- Re: TWIG SQL query bugs Ryan Fox (May 31)
- Re: TWIG SQL query bugs Ben Laurie (May 31)
- Re: TWIG SQL query bugs Ryan Fox (May 31)
- Re: TWIG SQL query bugs Ben Efros (May 30)