Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)

[rvdm () CISTRON NL (van der Meulen, Robert)]

Quoting rain forest puppy (rfp () WIRETRIP NET):
> ----[ 3. Solution

<cut>

> In the end, *all* (let me repeat that... **ALL**) incoming user data
> should be passed through quote(), onlynumbers(), or scrubtable()...NO
> EXCEPTIONS!  Passing user data straight into a SQL query is asking for
> someone to tamper with your database.
>
> New versions of wwwthreads are available from www.wwwthreads.com, which
> implement the solutions pretty much as I've described them here.

If the script acessing the database uses DBI, it's better to handle a query
the following way:

$sth=$dbh->prepare("INSERT INTO table (foo,bar) VALUES (?,?)");
$sth->execute($evil-unquoted-string, $evil-unquoted-other-string);

Using the '?' placeholders takes care of quoting, and allows re-execute()ing
the query with different parameters.
I must admit here, that not all DBI drivers support placeholders, but most do.
ofcourse catch the results, and check them. Insertion of non-numerics into
your database is checked when you actually _do_ the insert.

Greets,
        Robert/Emphyrio

--

|      rvdm () cistron nl - Cistron Internet Services - www.cistron.nl        |
|          php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security             |
|         My statements are mine, and not necessarily cistron's.           |