Page 1 of 1

Two questions about PHP security

Posted: Mon Apr 19, 2004 5:39 pm
by neal
I'm doing a project on PHP security, now I have two questions.

1. Does mysql_query() support multiple statements?
e.g. mysql_query("select * from table; drop table xx");

2. PHP mail() function.
mail($mailRecipient,$mailSubject,$mailBody,"From: $email\nReply-to: $name <$email>");
If $mailBody is defined by a remote user, does it have any security problems?

Any help will be appreciated!

neal

Posted: Mon Apr 19, 2004 5:49 pm
by kettle_drum
1. Yes mysql_query() can run several queries - so if you have something like:

Code: Select all

mysql_query("SELECT * FROM table WHERE id = $_GET[var]");
The user can inject there own sql statment with ease - adding ' and ' around the variable will stop this possibility.

2. Ummm...well the user could certainly post a malious java/vb script as the email and it would come from your server.

The main key to security is to not trust ANY user and check everything that they input wether its from GET, POST or COOKIE - check them all. There are also risks from other general headers - like a user could change there user agent header to send code to the page.

Posted: Mon Apr 19, 2004 5:54 pm
by Deemo
i think by the query thing he means if the you could do
mysql_query("SELECT * FROM Table; Drop Table table");

meaning doing the query then dropping it

Posted: Mon Apr 19, 2004 7:18 pm
by neal
Thank kettle_drum and Deemo for your reply!
That helps. But I still have some questions.

1. mysql_query("SELECT * FROM table WHERE id = $_GET[var]");
can I inject it by something like '1; Drop Table table'? Then it will become:
mysql_query("SELECT * FROM table WHERE id = 1; Drop Table table");
That doesn't work on my pc. It seems that mysql_query() doesn't support two queries at a time, does it?

2. Could you please give me an example or suggest an article about it?

Thanks a lot.

neal

Posted: Mon Apr 19, 2004 7:36 pm
by jason
1. No. However, you should always assume data that you don't set is tainted, and take appropriate action. Do not assume anything.

2. Probably not; however, you should always assume data coming from a user is tainted. Again, do not assume anything.

It's better to be paranoid. If you get in the habit of checking incoming data, it only means you have less of a chance of letting something get through.

Remember, data from the user is tainted.

Posted: Tue Apr 20, 2004 3:36 am
by CoderGoblin
Usefull Article :twisted: :

http://www.nextgenss.com/papers/advance ... ection.pdf

Should have all the information you need about sql_injection through POST and GET.

Posted: Tue Apr 20, 2004 4:32 pm
by neal
Can anyone suggest me an article on shell command injection or mail() function security?

Thanks in advance.

neal