MySQL (was Re: Notice about seconds overroll - S7K bug)

[Dennis Murphy <dmurphy () nbvb com>]

> 2. ' or " can protect integers well when used properly. Assume that
> there is an URL like http://something/show.php?id=10 and in PHP page it
> is called like:
>
> mysql_query("select * from table where id=".addslashes($id)); 
>
> Intruder changes URL to http://something/show.php?id=10%20or%201=1%34
> which changes command to: select * from table where id=10 or 1=1
>
> I do not want go into more details as script kiddies also read this list
> but this is many ways to use it. There is not much in MySQL we can do to
> change this behaviour. The way you seem we suggest to avoid attacks and
> you are ironic about is making it:
>
> mysql_query("select * from table where id='".addslashes($id)."'"); 
> which comes to:
> select * from table where id='10 or 1=1'
> or 
> select * from table where id='10\' or 1=1'

This is slightly off-topic, but I though I'd offer a possible solution to this
problem.

The way I dealt with this in PHP is by writing a function to validate input
(i.e. Make sure there's nothing but an integer coming in as a parameter).  
There's probably a half-dozen ways to rewrite this function more efficiently,
but at least it works...

function req_int($num)
 {
  // Take the input, convert it to an int, and then back to a string.  If the
  // result of this mess is exactly equal to the original input, then it's
  // clean.  Otherwise, someone's messing with us.

  $stripped_var = strval(intval($num));
  if ($num == $stripped_var){
  return intval($num); }
  else {
    die("Error.  This invalid access attempt has been logged."); }  
}

// ... Buried somewhere in the main code ...
// Run this through our checker, and make sure it's a valid digit.

$num = req_int($id);
$query = "select * from web_fac where id LIKE \"$num\"";


--dmurphy AT nbvb DOT com