RE: SQL injection and PHP/MYSQL

["Keifer, Trey" <Trey.Keifer () fishnetsecurity com>]

Robert - If the user can pass the data URL encoded past the addslashes()
function they may still be able to execute their sql injection.
According to the php documentation this function specifically searches
for the "single quote ('), double quote ("), backslash (\) and NUL (the
NULL byte)" strings. Therefore I don't think a quote passed as %27 would
be properly slashed by this function. 

I have not had the opportunity to test this theory...

Trey Keifer
Security Engineer - Level II
FishNet Security

Phone:  816.421.6611
Toll Free:  888.732.9406
Fax:  816.421.6677

http://www.fishnetsecurity.com

-----Original Message-----
From: Robert Buljevic [mailto:skeptic () s1c org] 
Sent: Tuesday, September 09, 2003 2:04 PM
To: webappsec () securityfocus com
Subject: SQL injection and PHP/MYSQL

I'm well aware of the sql injection problem when accepting non-trusted
data.
However, I'm interested in a more concrete example, precisely the
PHP/MySQL
combination.

Suppose I have some input text that's passed to mysql for searching via
http
get request.
What characters should I allow/disallow?
And is it enough to use PHP's addslashes function? If not, why? Could
you
provide any example of input that could cause injection even if it's
slashed - always referring to the particular case of PHP/MYSQL?

Any info would be appreciated... Thanks!

Robert Buljevic


The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or 
privileged material. 
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information 
by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you 
received this communication 
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network 
system.