WebApp Sec mailing list archives

Re: SQL injection and PHP/MYSQL

From: Bill Pennington <billp () boarder org>
Date: Tue, 9 Sep 2003 12:55:51 -0700

One of the main hurdles to overcome with MySQL SQL injection is thatcurrent production versions of MySQL (4.0.x and below) do not supportsubselects. So injecting "UNION ALL SELECTS..." etc generally will notwork. You can still use ' OR 1=1 type injections though.

The current alpha 4.1 of MySQL does support subselects so I think thereare going to be a few more SQL Injection issues with MySQL once peoplestart using the 4.1 code.


I don't know PHP that well so I can't comment on it.

On Tuesday, September 9, 2003, at 12:04 PM, Robert Buljevic wrote:

I'm well aware of the sql injection problem when accepting non-trusteddata.However, I'm interested in a more concrete example, precisely thePHP/MySQL
combination.
Suppose I have some input text that's passed to mysql for searchingvia http
get request.
What characters should I allow/disallow?
And is it enough to use PHP's addslashes function? If not, why? Couldyou
provide any example of input that could cause injection even if it's
slashed - always referring to the particular case of PHP/MYSQL?

Any info would be appreciated... Thanks!

Robert Buljevic


---
Bill Pennington, CISSP, CCNA
Chief Technology Officer
WhiteHat Security Inc.
http://www.whitehatsec.com

Current thread:

SQL injection and PHP/MYSQL Robert Buljevic (Sep 09)
- Re: SQL injection and PHP/MYSQL Sverre H. Huseby (Sep 09)
- Re: SQL injection and PHP/MYSQL Bill Pennington (Sep 09)
- Re: SQL injection and PHP/MYSQL Denis Arh (Sep 09)
- Re: SQL injection and PHP/MYSQL shimi (Sep 09)
  - Re: SQL injection and PHP/MYSQL Brad Fults (Sep 10)
    - Re: SQL injection and PHP/MYSQL Jan Pieter Kunst (Sep 10)
    - Re: SQL injection and PHP/MYSQL Sverre H. Huseby (Sep 10)
- <Possible follow-ups>
- RE: SQL injection and PHP/MYSQL Keifer, Trey (Sep 09)