Re: PHP Finding SQL Injection Holes

["James Mitchell" <reductor () askmiky com>]

It detects both of them perhaps when you where checking it out you had $bar
in the safe variables, array, use that for things like mysql table
names/prefixes.

It also will not work on things like single quote strings, There is no
definate way to have it detect for all.

One method would perhaps do a back trace on every SQL query, check where all
variables used in it come from, then check the surrounding areas if its
possible for that to be altered.

----- Original Message -----
From: "Wirges, Matthew L." <wirges () purdue edu>
To: <webappsec () securityfocus com>
Sent: Friday, October 31, 2003 12:01 AM
Subject: RE: PHP Finding SQL Injection Holes


> I'm not sure that I get the point of this script.  I tested a couple of
> simple cases such as:
>
> mysql_query("SELECT * FROM foo where blee=$bar");
> mysql_query("SELECT * FROM foo where blee=".$bar);
>
> which could be vulnerable but where not found.
>
> Also it makes several assumptions:
>
> 1) SQL queries are performed with the mysql_query function and not some
> sort of database wrapper or other database interface.
> 2) additionally, it assumes that the SQL queries are passed as a string
> in the calling [mysql_query] function
> 3) finally, it assumes that the query only occupies a single line of
> code.  Most complicated scripts have SQL queries which span several
> lines
>
> Personally, I rely on code audits and input filtering to eliminate SQL
> injection threats.
>
> -matt
>
> > -----Original Message-----
> > From: James Mitchell [mailto:reductor () askmiky com]
> > Sent: Wednesday, October 29, 2003 6:16 AM
> > To: webappsec () securityfocus com
> > Subject: PHP Finding SQL Injection Holes
> >
> > I got bored, and made a thing to find Places which might
> > allow for SQL Injection in PHP, Anyone got any feed back, on
> > my 2 minute script?
> >
> > http://www.php-webmaster.com/sqlinjects.phps
> >
> > Thanks,
> > James Mitchell