Bugtraq mailing list archives
Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)
From: rvdm () CISTRON NL (van der Meulen, Robert)
Date: Sat, 5 Feb 2000 12:47:17 +0100
Quoting rain forest puppy (rfp () WIRETRIP NET):
----[ 3. Solution
<cut>
In the end, *all* (let me repeat that... **ALL**) incoming user data should be passed through quote(), onlynumbers(), or scrubtable()...NO EXCEPTIONS! Passing user data straight into a SQL query is asking for someone to tamper with your database. New versions of wwwthreads are available from www.wwwthreads.com, which implement the solutions pretty much as I've described them here.
If the script acessing the database uses DBI, it's better to handle a query the following way: $sth=$dbh->prepare("INSERT INTO table (foo,bar) VALUES (?,?)"); $sth->execute($evil-unquoted-string, $evil-unquoted-other-string); Using the '?' placeholders takes care of quoting, and allows re-execute()ing the query with different parameters. I must admit here, that not all DBI drivers support placeholders, but most do. ofcourse catch the results, and check them. Insertion of non-numerics into your database is checked when you actually _do_ the insert. Greets, Robert/Emphyrio -- | rvdm () cistron nl - Cistron Internet Services - www.cistron.nl | | php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security | | My statements are mine, and not necessarily cistron's. |
Current thread:
- RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) rain forest puppy (Feb 03)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) Jaanus Kase (Feb 04)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) Aaron Ross (Feb 08)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) Jeremy Whittington (Feb 08)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) Barclay Osborn (Feb 04)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) van der Meulen, Robert (Feb 05)
- DBI bind values [was Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)] Kelly.Setzer () INGRAMENTERTAINMENT COM (Feb 07)
- Debian (frozen): Perms on /usr/lib/libguile.so.6.0.0 Jamie Fifield (Feb 05)
- Re: Debian (frozen): Perms on /usr/lib/libguile.so.6.0.0 Torsten Landschoff (Feb 08)
- <Possible follow-ups>
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) rain forest puppy (Feb 08)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) Smith, Eric V. (Feb 09)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) W. Craig Trader (Feb 09)
- FireWall-1 FTP Server Vulnerability John McDonald (Feb 09)
- ASP Security Hole (fwd) bgreenbaum () SECURITYFOCUS COM (Feb 09)
- Re: ASP Security Hole (fwd) Rob Systhine (Feb 10)
- Multiple firewalls: FTP Application Level Gateway "PASV" Vulnerability Mikael Olsson (Feb 10)
(Thread continues...)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) Jaanus Kase (Feb 04)