Security Basics mailing list archives
Overwriting an uninitialized local variable in PHP
From: Kellox <kellox () my-mail ch>
Date: Wed, 21 Feb 2007 16:32:37 +0100
I'm addressing a PHP with a MySQL DB system. A PHP script looks like this: $sort_mode = $_GET['sort']; if($sort_mode = 'ascendend') $query = "...."; else if($sort_mode = 'descendend') $query = "...."; ... mysql_query($query) or die();This script does actually contain some serious problem because $sort_mode is not sanitized. But this variable is never used in a SQL query, so even if you modify the GET Parameter to become a SQL injection it won't be executed by the DB because this variable is not passed to the engine. The actual variable containing the query is $query. But since there's no else clause, $query is uninitialized, when you pass a string to the variable $sort_mode that is not contained in the if-then-else statement (e.g. $sort_mode = 'does_not_exist')
My question is if there is a way to "initialize" the variable $query myself as an attacker from the outside, so that I can write my on SQL query.
This question is related to a webapp review I'm doing at the moment. Thx in advance!
Current thread:
- ssh key authentication Jorge JJ (Feb 20)
- Re: ssh key authentication Kelly Martin (Feb 20)
- Overwriting an uninitialized local variable in PHP Kellox (Feb 21)
- Re: Overwriting an uninitialized local variable in PHP Tyler Krpata (Feb 22)
- Re: Overwriting an uninitialized local variable in PHP Robert Larsen (Feb 22)
- Re: Overwriting an uninitialized local variable in PHP Anton Dobrin (Feb 23)
- Overwriting an uninitialized local variable in PHP Kellox (Feb 21)
- Re: ssh key authentication Kelly Martin (Feb 20)
- Re: ssh key authentication Robert Larsen (Feb 21)