NYCPHP Meetup

NYPHP.org

[nycphp-talk] php in securityfocus 218

Hans Zaunere hans at nyphp.org
Tue Oct 14 10:18:03 EDT 2003 


Chris Snyder wrote:

> Analysis & Solutions wrote:
> 
>> PHP Prayer Board SQL Injection Vulnerability
>> http://www.securityfocus.com/bid/8774
>>
> I put SQL into my prayers all the time, is this a bad thing? :-)

Thou shalt not *not* use mysql_real_escape_string()  :)

> In an attempt, um, to redeem this message, what *is* an SQL Injection 
> Vulnerability? Is the religious use of addslashes() on any request 
> variables used in a database query enough to prevent it?

Basically, yes.  There are a few flavors of SQL injection that I'm aware of, one more of a problem with MySQL than the other.

1)  The most common and problematic isn't that common in PHP land, as far as I've seen.  It involves generating SQL *on the client* either via Javascript or passing SQL directly through a GET/POST request.  We all know this is crazy, but apparently others do not:  http://www.nextgenss.com/papers/advanced_sql_injection.pdf

2)  Another type is poisoning variables with complete SQL statements.  The current MySQL API will only run one SQL statement at a time, or throw a parse error otherwise, and although I don't agree with this behavior, it does prevent a lot of abuses of this type of thing.

3)  Lastly there is simply passing in chars that aren't supposed to be interpreted literally.  A common example is someone submitting a form, whereby the backend code doesn't escape anything, and so using a '%' in any of the fields will dump the whole database.  Or, even worse, is if this happens in a DELETE FROM statement.  This is bad :)

> For example:
> 
> $email = $_GET['email'];
> $safeemail = addslashes($email);
> $query = "SELECT * FROM supplicants WHERE email='$safeemail' ";
> 
> Is this safe, or is my site at the mercy of a clever SQL injector?

This is essentially correct, although I'd recommend using mysql_escape_string(); and actually, mysql_real_escape_string() is even better.  These are direct from the MySQL API and will always correctly escape strings The Right Way (ie, depending on locale, if MySQL's syntax/special chars/ change, etc).

Honor thy PHP and MySQL.

H

More information about the talk mailing list