Bugtraq mailing list archives
Re: [KAPDA::#16] - SMF SQL Injection
From: ascii <ascii () katamail com>
Date: Sun, 11 Dec 2005 17:42:22 +0100
grudge () securityfocus com wrote:
I'm a developer from over at simplemachines and
> I do not see how this can pose an exploit? /* tabs are evil */ if (!is_numeric($_REQUEST['start'])) { $request = db_query("SELECT COUNT(ID_MEMBER) FROM {$db_prefix}members WHERE LOWER(SUBSTRING(realName, 1, 1)) < '". substr(strtolower($_REQUEST['start']), 0, 1) ."' AND is_activated = 1", __FILE__, __LINE__); list ($_REQUEST['start']) = mysql_fetch_row($request); mysql_free_result($request); } me too, this piece of code isn't exploitable at last you can inject a ' that will issue a php error (path disclosure, error log filling but not an usable sql injection)
The code is entered at this point: if (!is_numeric($_REQUEST['start']))
i would prefer ctype_digit or preg_match [09] cause is_numeric accept also hex, signed and floats
substr(strtolower($_REQUEST['start']), 0, 1)I simply cannot see how you could possibly
> exploit SQL from this? it's impossible imho, but don't relay on magic quotes or this type of stuff, put a beautiful mysql_real_escape_string on each string passed to the db and cast integers (int)intval($_GET['id']) seems KAPDA Researchers researched this 'vuln' too fast : ) ascii - http://www.ush.it
Current thread:
- [KAPDA::#16] - SMF SQL Injection alireza hassani (Dec 09)
- <Possible follow-ups>
- Re: [KAPDA::#16] - SMF SQL Injection grudge (Dec 10)
- Re: [KAPDA::#16] - SMF SQL Injection ascii (Dec 12)
- Re: Re: [KAPDA::#16] - SMF SQL Injection retrogod (Dec 12)
- Re: Re: [KAPDA::#16] - SMF SQL Injection polnby (Dec 12)
- Re: Re: [KAPDA::#16] - SMF SQL Injection Steven M. Christey (Dec 12)
- Re: Re: Re: [KAPDA::#16] - SMF SQL Injection grudge (Dec 14)