WebApp Sec mailing list archives
RE: SQL injection and PHP/MYSQL
From: "Keifer, Trey" <Trey.Keifer () fishnetsecurity com>
Date: Tue, 9 Sep 2003 15:04:32 -0500
Robert - If the user can pass the data URL encoded past the addslashes() function they may still be able to execute their sql injection. According to the php documentation this function specifically searches for the "single quote ('), double quote ("), backslash (\) and NUL (the NULL byte)" strings. Therefore I don't think a quote passed as %27 would be properly slashed by this function. I have not had the opportunity to test this theory... Trey Keifer Security Engineer - Level II FishNet Security Phone: 816.421.6611 Toll Free: 888.732.9406 Fax: 816.421.6677 http://www.fishnetsecurity.com -----Original Message----- From: Robert Buljevic [mailto:skeptic () s1c org] Sent: Tuesday, September 09, 2003 2:04 PM To: webappsec () securityfocus com Subject: SQL injection and PHP/MYSQL I'm well aware of the sql injection problem when accepting non-trusted data. However, I'm interested in a more concrete example, precisely the PHP/MySQL combination. Suppose I have some input text that's passed to mysql for searching via http get request. What characters should I allow/disallow? And is it enough to use PHP's addslashes function? If not, why? Could you provide any example of input that could cause injection even if it's slashed - always referring to the particular case of PHP/MYSQL? Any info would be appreciated... Thanks! Robert Buljevic The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
Current thread:
- SQL injection and PHP/MYSQL Robert Buljevic (Sep 09)
- Re: SQL injection and PHP/MYSQL Sverre H. Huseby (Sep 09)
- Re: SQL injection and PHP/MYSQL Bill Pennington (Sep 09)
- Re: SQL injection and PHP/MYSQL Denis Arh (Sep 09)
- Re: SQL injection and PHP/MYSQL shimi (Sep 09)
- Re: SQL injection and PHP/MYSQL Brad Fults (Sep 10)
- Re: SQL injection and PHP/MYSQL Jan Pieter Kunst (Sep 10)
- Re: SQL injection and PHP/MYSQL Sverre H. Huseby (Sep 10)
- Re: SQL injection and PHP/MYSQL Brad Fults (Sep 10)
- <Possible follow-ups>
- RE: SQL injection and PHP/MYSQL Keifer, Trey (Sep 09)