|
|
Posted by ZeldorBlat on 06/28/07 22:00
On Jun 28, 5:28 pm, jb <jbri...@gmail.com> wrote:
> Hi all, ive been tasked with reviewing a php app for sql injection
> vulnerabilities left behind by another developer. I'm not a php
> developer by trade, but ive tinkered with php, and I have a firm
> handle on what sql injection is in the context of other platforms.
> Ive seen various methods of prevention recommended, and unfortunately
> for me, our former developer appears to have used all of them in
> various parts of the app. Some use mysql_escape_string, some use
> myql_real_escape_string , some use a quote_smart function which checks
> the magic quotes setting and uses addslashes appropriately.
>
> But one has me a little confused, and i'm not sure if it is a valid
> method for blocking sql injection.
>
> where username = \"" . $_COOKIE["user"] . "\"";
>
> does wrapping the string in double quotes somehow tell mysql to treat
> the contents within as literal?
It does.
>Thus making it sql injection safe?
Not really. Suppose this is a query that checks if a username is
valid (or, worse yet, deletes as user). What if $_COOKIE["user"]
contained the following string:
myusername" or "x" = "x
Now, when you put that into the SQL you get a string that looks like
this:
where username = "myusername" or "x" = "x"
So every row comes back in the result.
You need to use mysql_escape_string or one of it's variants on /all/
untrusted input before using it in a SQL query. I usually use a
function like this to make things easy:
function prepText($someText) {
return '"' . mysql_escape_string($someText) . '"';
}
So then you can just say:
where username = " . prepText($_COOKIE["user"]);
Navigation:
[Reply to this message]
|