Re: Can I pass a wildcard to this function? — PHP Programming Language

You are here: Re: Can I pass a wildcard to this function? « PHP Programming Language « IT news, forums, messages

Posted by Jerry Stuckle on 06/14/07 12:33

arkascha wrote:
> Hi, :-)
>
> Lars Eighner wrote:
>> Is it possible, accidentally or on purpose, to pass a
>> wildcard to this function that would have the effect
>> of deleting many or all rows (shortname is a unique,
>> non-null field)?
>>
>> function delete_row_by_shortname($table,$shortname){
>> global $mysqlhost, $mysqlusr, $mysqlpw, $mysqldb;
>> $link = mysql_connect($mysqlhost, $mysqlusr, $mysqlpw);
>> if (!$link) {
>> die('Not connected : ' . mysql_error());
>> }
>> mysql_select_db($mysqldb) or
>> die ('Could not select database:' . "$mysqldb.");
>> $query = "DELETE FROM $table WHERE shortname='$shortname'";
>> mysql_query($query) or die ("Query Failed! mysql_error()");
>> $value = mysql_affected_rows($link);
>> mysql_close($link);
>> return $value;
>> }
>
> I'd say yes, it certainly is possible.
> First, you are safe inside the sql context if the column shortname realy is
> a non null unique index, since that means you can delete only a single row
> because only one single value can fulfill the condition "=".
> BUT:
> You do no escaping of the values in $table and $shortname. It depends on
> where the values come from. It _might_ offer a vulnerability
> to 'sql-injection':
> Imagine the variable $shortname is filled from a form where data can be
> entered and someone enters something like this:
> "bla1' OR shortname='bla2' OR shortname='bla3"
> What results is this sql statement which is certainly _not_ the one you
> intended to fire:
> "DELETE FROM $table WHERE shortname='bla1' OR shortname='bla2' OR
> shortname='bla3'"
> You should always escape such variable values, typically with the
> function 'mysql_real_escape_string()'. Doing so the fired statement will
> read:
> "DELETE FROM $table WHERE shortname='bla1'' OR shortname=''bla2'' OR
> shortname=''bla3'".
> This will match a single entry or none (apart from the same aspect with
> $table...)
>
> Have fun,
> arkascha

Even worse:

'bla1' OR 1=1

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Navigation:

Next in forum: Re: <font size="-1">
Prev in forum: Re: drop down not displaying all rows
Thread view: Re: Can I pass a wildcard to this function?

[Reply to this message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация