I assumed that it should check against valid articleid's, but just wondering what exactly the problem was and how to actually fix itWhy is this section of PHP script insecure? How would you "fix" it?
<?
mysql_query("SELECT headline, body FROM article WHERE articleid=$_POST[articleid]");
?>
php security question
Moderator: General Moderators
php security question
I had a job application for a php programmer and one of the questions was as follows :
- twigletmac
- Her Royal Site Adminness
- Posts: 5371
- Joined: Tue Apr 23, 2002 2:21 am
- Location: Essex, UK
only e.g. (not a hacker tutorial so I chose something quite harmless)
make $_POST[articleid] 0 OR 1=1 and the query containsthat's true for all records.
Since the value is not quoted one can assume articleid is a numerical field. If there are no other constraints (e.g. user privileges) I'd implicitly cast the id like
make $_POST[articleid] 0 OR 1=1 and the query contains
Code: Select all
SELECT headline, body FROM article WHERE articleid=0 OR 1=1Since the value is not quoted one can assume articleid is a numerical field. If there are no other constraints (e.g. user privileges) I'd implicitly cast the id like
Code: Select all
mysql_query('SELECT headline, body FROM article WHERE articleid='.(int)$_POST['articleid']);I would do something like this, assuming the var will never be zero (asuming magic_quotes_gpc is on
Code: Select all
<?php
if (!$clean_int = (int) stripslashes($_POST['intvar'])) { /* do some error message */ }
mysql_query('SELECT col1,col2 FROM tabl WHERE tabl_id ='''.$clean_int.'''');
# or if it is a string and it may be fairly complex
mysql_query('SELECT col1,col2 FROM tabl WHERE colstr ='''.mysql_escape_string(stripslashes($_POST['strvar'])).'''');
?>yeah if the submitted value is 1, but if the submitted value is 'beer' the result can be different probably 0, e.g. many SQL engines don't allow use of quotes when testing or setting data, so the var use results in 0 or a nullstring when something odd is inputed you may want to filter that before giving it to a query.