[28998] in bugtraq
Re: PHPNuke SQL Injection / General SQL Injection
daemon@ATHENA.MIT.EDU (MightyE)
Sun Feb 23 13:26:21 2003
Message-ID: <3E57E99D.6000105@mightye.org>
Date: Sat, 22 Feb 2003 16:20:29 -0500
From: MightyE <mightye@mightye.org>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
In-Reply-To: <200302211521.12548@grx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Actually, user supplied input from $_COOKIES, $_POST, and $_GET comes
slash-escaped, so if the user enters
' or 1=1
as their input, the sql statement will look like
where some_int='\' or 1=1'
This is determined by the PHP directive, magic_quotes_gpc. During
script execution, you can execute
if (!get_magic_quotes_gpc()){
//code to recurse global variables, calling addslashes() on their values
}
to ensure that all user supplied input is properly escaped.
The proper escaping for ' and " in most databases (excluding Oracle and
Sybase only, I believe), is to use \', \", and \\.
In Oracle and Sybase, ' and " are escaped as '' and "". Magic quotes
in PHP can be configured for Sybase compatibility, see the PHP website.
What I do on my portable code, where I can't know whether or not the
server it's running on has magic quotes enabled, is use a function like
this:
function escape($input){
if (get_magic_quotes_gpc()) return $input;
return addslashes($input);
}
and all user input through that. As far as I know, all major databases
accept quoted integers and interpret them as standard integers, so
*always* quote user input so that they cannot inject SQL.
David Walker wrote:
>When programming a system that creates sql strings based on passed in integers
>i.e. where some_int=$variable_from_querystring
>you must always do a check to confirm that that variable contains only numeric
>data.
>
>an alternate fix on sql servers that allow the format
>where some_int='1234' -- (quoted numbers)
>would be to do
>where some_int='replace($variable_from_querystring,"'","''")'
>This would cause a more than likely harmless error to occur whenever character
>occurs within the passed in numeric/integer variable.
>
>
>
