|
|
Posted by arkascha on 06/14/07 09:09
Hi, :-)
Lars Eighner wrote:
>
> Is it possible, accidentally or on purpose, to pass a
> wildcard to this function that would have the effect
> of deleting many or all rows (shortname is a unique,
> non-null field)?
>
> function delete_row_by_shortname($table,$shortname){
> global $mysqlhost, $mysqlusr, $mysqlpw, $mysqldb;
> $link = mysql_connect($mysqlhost, $mysqlusr, $mysqlpw);
> if (!$link) {
> die('Not connected : ' . mysql_error());
> }
> mysql_select_db($mysqldb) or
> die ('Could not select database:' . "$mysqldb.");
> $query = "DELETE FROM $table WHERE shortname='$shortname'";
> mysql_query($query) or die ("Query Failed! mysql_error()");
> $value = mysql_affected_rows($link);
> mysql_close($link);
> return $value;
> }
I'd say yes, it certainly is possible.
First, you are safe inside the sql context if the column shortname realy is
a non null unique index, since that means you can delete only a single row
because only one single value can fulfill the condition "=".
BUT:
You do no escaping of the values in $table and $shortname. It depends on
where the values come from. It _might_ offer a vulnerability
to 'sql-injection':
Imagine the variable $shortname is filled from a form where data can be
entered and someone enters something like this:
"bla1' OR shortname='bla2' OR shortname='bla3"
What results is this sql statement which is certainly _not_ the one you
intended to fire:
"DELETE FROM $table WHERE shortname='bla1' OR shortname='bla2' OR
shortname='bla3'"
You should always escape such variable values, typically with the
function 'mysql_real_escape_string()'. Doing so the fired statement will
read:
"DELETE FROM $table WHERE shortname='bla1'' OR shortname=''bla2'' OR
shortname=''bla3'".
This will match a single entry or none (apart from the same aspect with
$table...)
Have fun,
arkascha
Navigation:
[Reply to this message]
|