[21304] in bugtraq
Re: phpMyAdmin 2.1.0 + world readable (apache) log files enable
daemon@ATHENA.MIT.EDU (Wolfgang Heinemann)
Mon Jul 2 15:43:01 2001
Date: Mon, 2 Jul 2001 12:08:13 +0200 (MET DST)
From: Wolfgang Heinemann <wolfgang@siwan1.siwan.de>
Reply-To: bugtrader@siWan.de
To: bugtraq@securityfocus.com
In-Reply-To: <20010701234245.6093.qmail@securityfocus.com>
Message-ID: <Pine.LNX.4.10.10107021200300.12080-100000@siwan1.siwan.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On 1 Jul 2001 alias@securityfocus.com wrote:
> arbitrary PHP Codes as apache user.
> From: <sl4sh@ifrance.com>
> MIME-Version: 1.0
> Content-Type: text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
> Date: Sun, 1 Jul 2001 23:43:17 GMT
> Message-id: <200107012343.115e@lh00.opsion.fr>
>
> Note : sorry for my pity english.
>
> *****************************************************
> *******************************
>
> First of all, i want to ask a question, is it normal
> that if, in a MySQL query -via
> PHP-, i put "select * from $table" . "_files where
> ID=3D1" and i post table=3D"atable #",
> MySQL consider the new query as a valid one (so the
> final query will be
> "select * from atable") ? It's, in my opinion, a
> serious hole in MySQL query...
> (I use mysql_query() to do this)
It's not a MySQL problem, but a problem of writing good code ...
You get the same problems when doing those things with eg. Oracle.
You NEVER should concatenate sql queries. You'll have the same problems
when concatenating requests that will be executed on system level. For
example doing the lousy sendmail call from a CGI program without checking
the parameters. One solution is to check the parameters for escape
characters as it's been done in unix systme calls normally ...
The better way is to bind all variables to a database call. This way the
sql-query itself is a constant string. The bound parameters can't be
manipulated (if the database engine does not contain any bugs ;-)
I think it's a common mistale in of many (so called) programmers to
contatenate the requests ... it's less typing ...
So it's not a problem of MySQL and it's not a problem of PHP either. You
can do the same things using perl for example ...
> *****************************************************
> *******************************
...
> e WAP...
> http://www.ifrance.com/_reloc/email.emailif
>
tschau
Wolfgang
