[22660] in bugtraq
MySQL (was Re: Notice about seconds overroll - S7K bug)
daemon@ATHENA.MIT.EDU (Dennis Murphy)
Sun Sep 16 22:20:42 2001
Date: Sun, 16 Sep 2001 16:24:30 -0400 (EDT)
From: Dennis Murphy <dmurphy@nbvb.com>
To: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.20.0109161615420.410-100000@gozer.nbvb.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
> 2. ' or " can protect integers well when used properly. Assume that
> there is an URL like http://something/show.php?id=10 and in PHP page it
> is called like:
>
> mysql_query("select * from table where id=".addslashes($id));
>
> Intruder changes URL to http://something/show.php?id=10%20or%201=1%34
> which changes command to: select * from table where id=10 or 1=1
>
> I do not want go into more details as script kiddies also read this list
> but this is many ways to use it. There is not much in MySQL we can do to
> change this behaviour. The way you seem we suggest to avoid attacks and
> you are ironic about is making it:
>
> mysql_query("select * from table where id='".addslashes($id)."'");
> which comes to:
> select * from table where id='10 or 1=1'
> or
> select * from table where id='10\' or 1=1'
This is slightly off-topic, but I though I'd offer a possible solution to this
problem.
The way I dealt with this in PHP is by writing a function to validate input
(i.e. Make sure there's nothing but an integer coming in as a parameter).
There's probably a half-dozen ways to rewrite this function more efficiently,
but at least it works...
function req_int($num)
{
// Take the input, convert it to an int, and then back to a string. If the
// result of this mess is exactly equal to the original input, then it's
// clean. Otherwise, someone's messing with us.
$stripped_var = strval(intval($num));
if ($num == $stripped_var){
return intval($num); }
else {
die("Error. This invalid access attempt has been logged."); }
}
// ... Buried somewhere in the main code ...
// Run this through our checker, and make sure it's a valid digit.
$num = req_int($id);
$query = "select * from web_fac where id LIKE \"$num\"";
--dmurphy AT nbvb DOT com
