[13728] in bugtraq
Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)
daemon@ATHENA.MIT.EDU (van der Meulen, Robert)
Mon Feb 7 15:59:41 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <200002051147.MAA12247@picard.cistron.nl>
Date: Sat, 5 Feb 2000 12:47:17 +0100
Reply-To: rvdm@CISTRON.NL
From: "van der Meulen, Robert" <rvdm@CISTRON.NL>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10002031027120.15921-100000@eight.wiretrip.net>;
from rfp@WIRETRIP.NET on Thu, Feb 03, 2000 at 10:33:03AM -0600
Quoting rain forest puppy (rfp@WIRETRIP.NET):
> ----[ 3. Solution
<cut>
> In the end, *all* (let me repeat that... **ALL**) incoming user data
> should be passed through quote(), onlynumbers(), or scrubtable()...NO
> EXCEPTIONS! Passing user data straight into a SQL query is asking for
> someone to tamper with your database.
>
> New versions of wwwthreads are available from www.wwwthreads.com, which
> implement the solutions pretty much as I've described them here.
If the script acessing the database uses DBI, it's better to handle a query
the following way:
$sth=$dbh->prepare("INSERT INTO table (foo,bar) VALUES (?,?)");
$sth->execute($evil-unquoted-string, $evil-unquoted-other-string);
Using the '?' placeholders takes care of quoting, and allows re-execute()ing
the query with different parameters.
I must admit here, that not all DBI drivers support placeholders, but most do.
ofcourse catch the results, and check them. Insertion of non-numerics into
your database is checked when you actually _do_ the insert.
Greets,
Robert/Emphyrio
--
| rvdm@cistron.nl - Cistron Internet Services - www.cistron.nl |
| php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security |
| My statements are mine, and not necessarily cistron's. |
