Reply to Re: Can SID be trusted?

Your name:

Reply:


Posted by Erwin Moller on 06/13/90 12:00

Sebastian Lisken wrote:
> Erwin Moller <Since_humans_read_this_I_am_spammed_too_much@spamyourself.com> wrote:
>> Your app accepts complete SQL-commands from the outside?
>> Are you sure that is allright?
>
> Of course not.

Hi Sebastian,

Of course not?
Well, appearently not for you, but I see often code that transmits full
SQL around like that. Bad idea, but you know that allready. ;-)
(Please remember it is hard to tell what a poster knows based on one
posting.)


When I wrote "SQL strings" I meant just that: user input
> that becomes a string as regarded by SQL's grammar. Not a keyword or a
> number. Something like
>
> "SELECT FROM tblusers WHERE name='" . mysql_real_escape_string($_GET['username']) . "';"
>

Looks good.

> Just as a different example, if the value becomes a number I'd use
> it without single quotes or an escape function but validate it using
> is_numeric instead.
>
>> No, not an XSS attack. The PHPSESSID is only used to maintain a session
>> with some client.
>> But in case you wrote your own sessionhandlers, you should take precautions.
>> If you use default sessions (file) don't worry.
>>
>> Of course you should always worry about sessionstealing.
>
> I have of course read up on all of this. I'm not saying I'd never need
> to remind myself of that issue again, or that further thoughts are not
> welcome, but I'd really prefer this thread not to become a general PHP
> security roundup. I'm looking for answers to my specific question:
>
> Could SID be manipulated to contain something nasty instead of
> "Name_of_session_id_variable=hexadecimal_session_id", so that it might
> warrant escaping?

As I said: Only if you use something else than default sessions,
especially databased handled session storage.

Here is an example from my own code:

// Change the save_handler to use our sessionhandlers
session_set_save_handler (
'MySession_open',
'MySession_close',
'MySession_read',
'MySession_write',
'MySession_destroy',
'MySession_gc');


And then for example from MySession_read():

function MySession_read($ses_id) {
$SQL_session = "SELECT session_lock, session_data FROM tblsession
WHERE (session_id='".$ses_id."');";

.... etc

}

The above MySession_read is a bad example, since it does take $ses_id
straight from the cookie (or URL, or post).

I have seen such in productionenvironments.

Solution is simple of course: check the $ses_id before use in SQL.

Rrgards,
Erwin Moller

>
> Sebastian
>

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация