RE: PHP Finding SQL Injection Holes

["Wirges, Matthew L." <wirges () purdue edu>]

I'm not sure that I get the point of this script.  I tested a couple of
simple cases such as:

mysql_query("SELECT * FROM foo where blee=$bar");
mysql_query("SELECT * FROM foo where blee=".$bar);

which could be vulnerable but where not found.

Also it makes several assumptions:

1) SQL queries are performed with the mysql_query function and not some
sort of database wrapper or other database interface.
2) additionally, it assumes that the SQL queries are passed as a string
in the calling [mysql_query] function
3) finally, it assumes that the query only occupies a single line of
code.  Most complicated scripts have SQL queries which span several
lines

Personally, I rely on code audits and input filtering to eliminate SQL
injection threats.

-matt

> -----Original Message-----
> From: James Mitchell [mailto:reductor () askmiky com] 
> Sent: Wednesday, October 29, 2003 6:16 AM
> To: webappsec () securityfocus com
> Subject: PHP Finding SQL Injection Holes
>
> I got bored, and made a thing to find Places which might 
> allow for SQL Injection in PHP, Anyone got any feed back, on 
> my 2 minute script?
>
> http://www.php-webmaster.com/sqlinjects.phps
>
> Thanks,
> James Mitchell