WebApp Sec mailing list archives

Re: SQL injection and PHP/MYSQL

From: "Sverre H. Huseby" <shh () thathost com>
Date: Tue, 9 Sep 2003 21:54:44 +0200

[Robert Buljevic]

|   And is it enough to use PHP's addslashes function? If not, why?
|   Could you provide any example of input that could cause injection
|   even if it's slashed - always referring to the particular case of
|   PHP/MYSQL?

AFAIK, MySQL doesn't support batched queries, so many of the cool
attacks will not work.

Here's an example that does not rely on batched queries.  The program
will give a user access to some data owned either by him, or by
someone who has granted him access (the latter is not implemented).

    # ID of current user.  would be read from the session or something,
    # but we make it simple and just fill it in.
    $userid = 1234;

    function hasAccessToDataOwnedBy($ownerid) {
        global $userid;

        if ($ownerid == $userid)
            return TRUE;
        # other checks removed for readability
        return FALSE;
    }

    # the following variable would be coming from the user, but we
    # make it simple again, and fill it in here.
    $listby = "1234 or 1=1";

    # note that there are no slashable characters in the input, so
    # the following line has no effect.  one should rather have
    # verified that the input was numeric.
    $listby = addslashes($listby);

    if (hasAccessToDataOwnedBy($listby)) {
        $sql = "SELECT * FROM Data WHERE OwnerId=" . $listby;
        # here we would have queried the database, but we rather print
        # the query to show what is going on.
        echo($sql . "\n");
    } else
        echo("access denied\n");

The program will print

    SELECT * FROM Data WHERE OwnerId=1234 or 1=1

which is not good, as the code tried to verify that the user had
access to the data by comparing the incoming string and the
server-side userid.  Unfortunately, PHP thinks that 1234 and "1234 or
1=1" is the same numeric value.  When passed to the database, all rows
will be retreived, not only the ones accessible by the current user.


Sverre.

-- 
shh () thathost com
http://shh.thathost.com/

Current thread:

SQL injection and PHP/MYSQL Robert Buljevic (Sep 09)
- Re: SQL injection and PHP/MYSQL Sverre H. Huseby (Sep 09)
- Re: SQL injection and PHP/MYSQL Bill Pennington (Sep 09)
- Re: SQL injection and PHP/MYSQL Denis Arh (Sep 09)
- Re: SQL injection and PHP/MYSQL shimi (Sep 09)
  - Re: SQL injection and PHP/MYSQL Brad Fults (Sep 10)
    - Re: SQL injection and PHP/MYSQL Jan Pieter Kunst (Sep 10)
    - Re: SQL injection and PHP/MYSQL Sverre H. Huseby (Sep 10)
- <Possible follow-ups>
- RE: SQL injection and PHP/MYSQL Keifer, Trey (Sep 09)