Bugtraq mailing list archives
Re: PHPNuke SQL Injection / General SQL Injection
From: MightyE <mightye () mightye org>
Date: Sat, 22 Feb 2003 16:20:29 -0500
Actually, user supplied input from $_COOKIES, $_POST, and $_GET comes slash-escaped, so if the user enters
' or 1=1 as their input, the sql statement will look like where some_int='\' or 1=1'This is determined by the PHP directive, magic_quotes_gpc. During script execution, you can execute
if (!get_magic_quotes_gpc()){ //code to recurse global variables, calling addslashes() on their values } to ensure that all user supplied input is properly escaped.The proper escaping for ' and " in most databases (excluding Oracle and Sybase only, I believe), is to use \', \", and \\.
In Oracle and Sybase, ' and " are escaped as '' and "". Magic quotes in PHP can be configured for Sybase compatibility, see the PHP website.
What I do on my portable code, where I can't know whether or not the server it's running on has magic quotes enabled, is use a function like this:
function escape($input){ if (get_magic_quotes_gpc()) return $input; return addslashes($input); }and all user input through that. As far as I know, all major databases accept quoted integers and interpret them as standard integers, so *always* quote user input so that they cannot inject SQL.
David Walker wrote:
When programming a system that creates sql strings based on passed in integers i.e. where some_int=$variable_from_querystringyou must always do a check to confirm that that variable contains only numeric data.an alternate fix on sql servers that allow the format where some_int='1234' -- (quoted numbers) would be to do where some_int='replace($variable_from_querystring,"'","''")'This would cause a more than likely harmless error to occur whenever character occurs within the passed in numeric/integer variable.
Current thread:
- PHPNuke SQL Injection Lucas Armstrong (Feb 20)
- Re: PHPNuke SQL Injection Martin Eiszner (Feb 21)
- Re: PHPNuke SQL Injection / General SQL Injection David Walker (Feb 21)
- Re: PHPNuke SQL Injection / General SQL Injection MightyE (Feb 23)
- <Possible follow-ups>
- RE: PHPNuke SQL Injection Oriol Carreas (Feb 21)