[nycphp-talk] Is there something wrong with this SQL query in PHP?
Ben Sgro (ProjectSkyLine)
ben at projectskyline.com
Tue Aug 14 17:14:37 EDT 2007
Hello,
I just did a security audit for a site. This was a huge problem they had:
doing, "...where id = $_POST['id']"
Not only can you run sql commands you could update all the records where
id=1 or id > 1
via SQL injection.
The larger problem they had was that all the sql was being hardcoded, no use
of a function
anywhere. We had to go back and remove all the SQL to be called from a
function,
then have that function do the proper validation.
They had the exact same problems w/XSS, no input validation.
Chris, nice book btw, my #1 reference for PHP Security.
- Ben
Ben Sgro, Chief Engineer
ProjectSkyLine - Defining New Horizons
This e-mail is confidential information intended only for the use of the
individual to whom it is addressed.
----- Original Message -----
From: "csnyder" <chsnyder at gmail.com>
To: "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Tuesday, August 14, 2007 5:00 PM
Subject: Re: [nycphp-talk] Is there something wrong with this SQL query in
PHP?
> On 8/14/07, Anthony Wlodarski <aw at sap8.com> wrote:
>>
>> So I will definitely in the future keep an out for direct $_POST
>> variables
>> directly in a SQL query (I will just save a local copy from now on and
>> use
>> that.).
>
> No, you're missing the point. It isn't direct use of the variable from
> $_POST, it's that the value might contain quotes or other characters
> that can cause the database to execute SQL that you don't expect.
>
> Use the mysql_real_escape_string() function on all values before
> including them in a query:
>
> $query = "SELECT * FROM `jobsdb` WHERE `id`
> =".mysql_real_escape_string($_POST['id'])."";
>
>
> --
> Chris Snyder
> http://chxo.com/
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
More information about the talk
mailing list