[20835] in bugtraq
Re: TWIG SQL query bugs
daemon@ATHENA.MIT.EDU (Steve Stavropoulos)
Fri Jun 1 17:48:51 2001
Date: Fri, 1 Jun 2001 02:03:12 +0300 (EEST)
From: Steve Stavropoulos <steve@math.upatras.gr>
To: Ryan Fox <rfox@noguska.com>
Cc: Ben Efros <Ben@Efros.com>, Luki Rustianto <luki@karet.org>,
<bugtraq@securityfocus.com>
In-Reply-To: <00b201c0e941$fd6562c0$5d601cd8@noguska.com>
Message-ID: <Pine.LNX.4.33.0106010157080.16651-100000@Paradise.NotHere>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Wed, 30 May 2001, Ryan Fox wrote:
> One more point here.
>
> > Simply adding a quote is not the proper way to handle this in PHP.
>
> Not really. There are other malicious characters that can be used in sql
> statements. The one in the front of my mind is ";", used to terminate a
> query and begin a new one. Think of $IDNumber=";drop database foo". (This
> can be helped by using a database with proper access controls set up, so the
> user the web process normally connects as does not have permission to drop a
> database. I don't know if this product sets itself up like that by
> default).
>
> Good programming practice is to code a function specifically to strip any
> possible malicious characters out of strings, and wrap it around every
> variable put into a query, whether it should be user-supplied or not.
> Addslashes is a good function to call from your stripping function, but it
> should not be your only line of defense.
>
> Ryan Fox
>
>
>
The only malicious character in an SQL query executed from php is '.
If you have for example:
select * from kokos where user='$user'
and $user=';drop database totos;'
then the SQL query will be:
select * from kokos where user=';drop database totos;'
and that's ONE SQL statement.
the ; inside the quotes is simply part of a STRING. The only way to get
out of a string is with a ' and the ' gets stripped out with addslashes.
If the user supplied variable isn't treated as a string but as part of
the SQL statement then you have to escape ; as well.
Steve Stavropoulos
