Two questions about PHP security

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
neal
Forum Newbie
Posts: 4
Joined: Tue Mar 09, 2004 7:04 pm

Two questions about PHP security

Post by neal »

I'm doing a project on PHP security, now I have two questions.

1. Does mysql_query() support multiple statements?
e.g. mysql_query("select * from table; drop table xx");

2. PHP mail() function.
mail($mailRecipient,$mailSubject,$mailBody,"From: $email\nReply-to: $name <$email>");
If $mailBody is defined by a remote user, does it have any security problems?

Any help will be appreciated!

neal
kettle_drum
DevNet Resident
Posts: 1150
Joined: Sun Jul 20, 2003 9:25 pm
Location: West Yorkshire, England

Post by kettle_drum »

1. Yes mysql_query() can run several queries - so if you have something like:

Code: Select all

mysql_query("SELECT * FROM table WHERE id = $_GET[var]");
The user can inject there own sql statment with ease - adding ' and ' around the variable will stop this possibility.

2. Ummm...well the user could certainly post a malious java/vb script as the email and it would come from your server.

The main key to security is to not trust ANY user and check everything that they input wether its from GET, POST or COOKIE - check them all. There are also risks from other general headers - like a user could change there user agent header to send code to the page.
Deemo
Forum Contributor
Posts: 418
Joined: Sun Jan 18, 2004 11:48 am
Location: Washington DC

Post by Deemo »

i think by the query thing he means if the you could do
mysql_query("SELECT * FROM Table; Drop Table table");

meaning doing the query then dropping it
neal
Forum Newbie
Posts: 4
Joined: Tue Mar 09, 2004 7:04 pm

Post by neal »

Thank kettle_drum and Deemo for your reply!
That helps. But I still have some questions.

1. mysql_query("SELECT * FROM table WHERE id = $_GET[var]");
can I inject it by something like '1; Drop Table table'? Then it will become:
mysql_query("SELECT * FROM table WHERE id = 1; Drop Table table");
That doesn't work on my pc. It seems that mysql_query() doesn't support two queries at a time, does it?

2. Could you please give me an example or suggest an article about it?

Thanks a lot.

neal
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

1. No. However, you should always assume data that you don't set is tainted, and take appropriate action. Do not assume anything.

2. Probably not; however, you should always assume data coming from a user is tainted. Again, do not assume anything.

It's better to be paranoid. If you get in the habit of checking incoming data, it only means you have less of a chance of letting something get through.

Remember, data from the user is tainted.
User avatar
CoderGoblin
DevNet Resident
Posts: 1425
Joined: Tue Mar 16, 2004 10:03 am
Location: Aachen, Germany

Post by CoderGoblin »

Usefull Article :twisted: :

http://www.nextgenss.com/papers/advance ... ection.pdf

Should have all the information you need about sql_injection through POST and GET.
neal
Forum Newbie
Posts: 4
Joined: Tue Mar 09, 2004 7:04 pm

Post by neal »

Can anyone suggest me an article on shell command injection or mail() function security?

Thanks in advance.

neal
Post Reply