Posted by Karl A. Krueger on 08/22/05 06:22

In comp.databases emily_g107@hotmail.com wrote:
> I need to limit results in the following query type:
>
> http://www.somewhere.com/php/sql-a.php3?server=1&db=mydatabase&table=mytable&sql_query=SELECT+Field_1%2CField_2%2CField_3%2Cidno+from+mytable+where+1+and+field_1+like+%22string%22+&sql_order=&pos=1

What you seem to be doing here is very dangerous. Suppose someone saw
that URL and rewrote it as follows:

http://www.somewhere.com/php/sql-a.php3?server=1&db=mydatabase&table=mytable&sql_query=DELETE+FROM+mytable

Or even:

http://www.somewhere.com/php/sql-a.php3?server=1&db=mydatabase&table=mytable&sql_query=DROP+mytable

This is called an "SQL injection" vulnerability -- where your
application allows the user to enter arbitrary SQL statements. These
can yield all sorts of undesired results:

* public accessibility of private information
* destruction of information (as above)
* crashing of your database server (by writing a query that
takes massive computational resources to compute)
* corruption of information, possibly with substantial financial
consequences

As an example of the last, imagine that your database is serving an
online store application, and includes the price list. If the user can
enter an arbitrary query (and the store application has the access
privileges to do so -- another error, perhaps) then the user could alter
prices and then place orders for really cheap goods. :)

--
Karl A. Krueger <kkrueger@example.edu> { s/example/whoi/ }

[Back to original message]