Simply adding a quote is not the proper way to handle this in PHP. Consider the following: $IDNumber is user-supplied. $query="SELECT field,otherfield from table where ID='" . $IDNumber . "'"; What if $IDNumber were to be " ' OR otherfield=325 OR ID=' " (ignore the double quotes...) Your new query would be: $query="SELECT field,otherfield from table where ID=' ' OR otherfield=325 OR ID=' '"; This could produce results that break the security of your application. There are two workarounds: 1) Force number fields to be numbers via type casting. Example: $query="SELECT field,otherfield from table where ID='" . ((int)$IDNumber) . "'"; 2) Always use addslashes() to any form posted variable. Example: $query="SELECT field,otherfield from table where ID='" . addslashes($IDNumber) . "'"; PHP used to have an option to automatically use addslashes() on any variable passed to it via POST or GET. Please see your PHP.INI file and set the appropriate setting for "magic_quotes_gpc" ----- Original Message ----- From: "Luki Rustianto" <lukiat_private> To: <bugtraqat_private> Sent: Monday, May 28, 2001 7:00 AM Subject: TWIG SQL query bugs > I can't find the person who really in charge on developing twig, so I > mail about this bug to the person who announce new version of twig > about two month ago. > > > -------------------------------------------------------------------------- > Subject: Unquoted SQL query => potential damage > Software package: TWIG Webmail > Software Site: http://twig.screwdriver.net > Version tested: 2.6.2 and below (used with MySQL, didn't check others) > Platform: Platform independent with PHP > Result: Any user with valid email account can delete or change > other user's data on mysql database. > Proof Of Concept: Attached > > Problem Description: > ===================== > Unquoted SQL query string is a little mistake that could lead to potential > damage. > TWIG free PHP Webmail system is affected. As we know, mysql accept unquoted > query string if the field type is int, mediumint, tinyint or like. > >
This archive was generated by hypermail 2b30 : Wed May 30 2001 - 11:45:26 PDT