|
|
Posted by Erwin Moller on 10/11/90 12:00
Sebastian Lisken wrote:
> Erwin Moller <Since_humans_read_this_I_am_spammed_too_much@spamyourself.com> wrote:
>> Your app accepts complete SQL-commands from the outside?
>> Are you sure that is allright?
>
> Of course not.
Hi Sebastian,
Of course not?
Well, appearently not for you, but I see often code that transmits full
SQL around like that. Bad idea, but you know that allready. ;-)
(Please remember it is hard to tell what a poster knows based on one
posting.)
When I wrote "SQL strings" I meant just that: user input
> that becomes a string as regarded by SQL's grammar. Not a keyword or a
> number. Something like
>
> "SELECT FROM tblusers WHERE name='" . mysql_real_escape_string($_GET['username']) . "';"
>
Looks good.
> Just as a different example, if the value becomes a number I'd use
> it without single quotes or an escape function but validate it using
> is_numeric instead.
>
>> No, not an XSS attack. The PHPSESSID is only used to maintain a session
>> with some client.
>> But in case you wrote your own sessionhandlers, you should take precautions.
>> If you use default sessions (file) don't worry.
>>
>> Of course you should always worry about sessionstealing.
>
> I have of course read up on all of this. I'm not saying I'd never need
> to remind myself of that issue again, or that further thoughts are not
> welcome, but I'd really prefer this thread not to become a general PHP
> security roundup. I'm looking for answers to my specific question:
>
> Could SID be manipulated to contain something nasty instead of
> "Name_of_session_id_variable=hexadecimal_session_id", so that it might
> warrant escaping?
As I said: Only if you use something else than default sessions,
especially databased handled session storage.
Here is an example from my own code:
// Change the save_handler to use our sessionhandlers
session_set_save_handler (
'MySession_open',
'MySession_close',
'MySession_read',
'MySession_write',
'MySession_destroy',
'MySession_gc');
And then for example from MySession_read():
function MySession_read($ses_id) {
$SQL_session = "SELECT session_lock, session_data FROM tblsession
WHERE (session_id='".$ses_id."');";
.... etc
}
The above MySession_read is a bad example, since it does take $ses_id
straight from the cookie (or URL, or post).
I have seen such in productionenvironments.
Solution is simple of course: check the $ses_id before use in SQL.
Rrgards,
Erwin Moller
>
> Sebastian
>
Navigation:
[Reply to this message]
|