NYCPHP Meetup

NYPHP.org

[nycphp-talk] Not-so-subtle attack on PHP

bz-gmort at beezifies.com bz-gmort at beezifies.com
Fri Sep 28 08:58:07 EDT 2007 

Kenneth Downs wrote:

> The focus is on "...does not let them do anything they can't do anyway...."   

>If the hacker wants to test the SQL injection abilities, let them.  
 >Let them have fun.  Let them learn.  The real question is, can they
 >do harm?  And the answer is NO, not if they are connected to the
 >database with an account that has limited security abilities.

Hmm, I would say tricking someone into wiping out all patient records by 
having them click a custom crafted link which uses their authority to 
wipe every record in the database(since they have delete authority) 
would be harm.


>> Hmm, I think in terms of online stores and credits.  Sure, the person 
>> can purchase a credit and have the data in their user record updated, 
>> but it is so much cheaper to do an "update usertable set credits=10000 
>> where uid = 'me')
> 
> See Rusty's comment and my reply on row-level and column-level security.
> 
> 

Looking over your project website, it seems your doing this with views, 
correct?

I also note your using Postgress as your DB Engine.  Is it possible to 
provide the same type of security through views in MySQL(to be honest, 
due to the large number of v4 servers out there, I haven't kept up with 
V5 in regards to views)

Row and column level security wouldn't help from an online store 
perspective.  You could establish a level of this security through 
triggers, for example in a credit based system, instead of updating 
credits directly, you could do inserts into a purchase table and that 
table has a trigger to update the credits based on the package purchased.

I'm not disputing that your model is a good model to follow where 
feasible(a database server where you can create user accounts for every 
user), and given unlimited funds of course it should always be 
implemented.  But even this method doesn't eliminate problems with SQL 
injection, it minimizes them(depending on the application design, this 
may or may not result in fairly comprehensive protection.)

I wonder how difficult it would be to design a functional application 
that would work both in the shared hosting/single db user model AND a 
dedicated server/multi user model, and would there even be a market for 
such an app(market defined as people who would use it in both modes)

More information about the talk mailing list