Re: TWIG SQL query bugs

From: Ryan Fox (rfoxat_private)
Date: Wed May 30 2001 - 12:51:59 PDT

Next message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Cisco Content Service Switch 11000 Series Web Management Vulnerability"

Previous message: mparcensat_private: "Yahoo/Hotmail scripting vulnerability, worm propagation"
In reply to: Ben Efros: "Re: TWIG SQL query bugs"
Reply: Jeff Dafoe: "RE: TWIG SQL query bugs"
Reply: Ben Laurie: "Re: TWIG SQL query bugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

One more point here.

> Simply adding a quote is not the proper way to handle this in PHP.

Not really.  There are other malicious characters that can be used in sql
statements.  The one in the front of my mind is ";", used to terminate a
query and begin a new one.  Think of $IDNumber=";drop database foo".  (This
can be helped by using a database with proper access controls set up, so the
user the web process normally connects as does not have permission to drop a
database.  I don't know if this product sets itself up like that by
default).

Good programming practice is to code a function specifically to strip any
possible malicious characters out of strings, and wrap it around every
variable put into a query, whether it should be user-supplied or not.
Addslashes is a good function to call from your stripping function, but it
should not be your only line of defense.

Ryan Fox

Next message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Cisco Content Service Switch 11000 Series Web Management Vulnerability"
Previous message: mparcensat_private: "Yahoo/Hotmail scripting vulnerability, worm propagation"
In reply to: Ben Efros: "Re: TWIG SQL query bugs"
Reply: Jeff Dafoe: "RE: TWIG SQL query bugs"
Reply: Ben Laurie: "Re: TWIG SQL query bugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 31 2001 - 08:44:06 PDT