RE: PHP Finding SQL Injection Holes

["Wirges, Matthew L." <wirges () purdue edu>]

> -----Original Message-----
> From: James Mitchell [mailto:reductor () askmiky com] 
> Sent: Thursday, October 30, 2003 10:18 AM
> To: Wirges, Matthew L.; webappsec () securityfocus com
> Subject: Re: PHP Finding SQL Injection Holes
>
> It detects both of them perhaps when you where checking it 
> out you had $bar in the safe variables, array, use that for 
> things like mysql table names/prefixes.

Actually, I left the safe variables array empty because I don't assume
that any are safe which led to the malfunctioning of the code. 
The problem is that I left the empty literal "''" in the array()
declaration (as posted) and the safe variable replacement code removed
the $ from bar because '$'.$var was actually '$' and obviously matched.


> It also will not work on things like single quote strings, 
> There is no definate way to have it detect for all.

Precisely! :-)

> One method would perhaps do a back trace on every SQL query, 
> check where all variables used in it come from, then check 
> the surrounding areas if its possible for that to be altered.

That just makes it to complex.  You'd be better off spending the time
plowing through each line of code then to write a tool that may detect
your problems x% of the time.  I just believe time is better spent
understanding the problems with your code and fixing them through direct
line-by-line auditing.  You are much more likely to improve your code
overall by finding other errors as well.

-matt