Injection via URL

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Stryks
Forum Regular
Posts: 746
Joined: Wed Jan 14, 2004 5:06 pm

Injection via URL

Post by Stryks »

Hi all, not so much a problem as a question.

I have read often that you shouldn't use variables like $sql to hold your SQL queries or the like, because if your register globals is on it can be overridden.

I have also read that this is overcome if you declare variables at the start of each page.

What I dont understand is, lets just say that I take info and run it through a mySQL query which is stored in the variable $sql. If I have the code in the format of:

Code: Select all

$sql = "query here";
{database call here}
Then how can the user override the value of $sql, given that it was set after any override the user made.

Sorry if this seems really simple, but I've never seen it stated HOW this is a threat.

Thanks
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

afaik that would be impossible.... it can only be exploited if it has not been initialised/set to something different...

anyway, nowadays this shouldn't be an issue anymore with register_globals off... and i believe they were talking about removing the register_globals completely from php5.2 or meaby already in 5.2
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

The only way I can think of is with some really crappy code..

Code: Select all

<?php
function getsql($id)&#123;
  return "SELECT password FROM users WHERE id = $id";
&#125;

if(!empty($_GET&#1111;'id']))&#123;
  $sql = getsql($_GET&#1111;'id']);
&#125;

mysql_query($sql);
?>
and that's with a mix of register_globals being on AND the person not knowing what they're doing in respect to programming.
magicrobotmonkey
Forum Regular
Posts: 888
Joined: Sun Mar 21, 2004 1:09 pm
Location: Cambridge, MA

Post by magicrobotmonkey »

one situation where its possible is if a query (or part of one (such as an ORDER BY for a sort or something)) is being passed through post or get. Of course, this is just bad practice.
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

magicrobotmonkey wrote:one situation where its possible is if a query (or part of one (such as an ORDER BY for a sort or something)) is being passed through post or get. Of course, this is just bad practice.
Well, that's really SQL injection in general, whereas I was thinking he was talking about:
I have read often that you shouldn't use variables like $sql to hold your SQL queries or the like, because if your register globals is on it can be overridden.
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Re: Injection via URL

Post by shiflett »

I have read often that you shouldn't use variables like $sql to hold your SQL queries or the like, because if your register globals is on it can be overridden.
This is only true if there exists a logical path through your application by which the variable is never initialized.

To make sure you're aware of any accidental uses of uninitialized variables, turn error_reporting up to E_ALL. You should still disable register_globals to further reduce the risk.
magicrobotmonkey
Forum Regular
Posts: 888
Joined: Sun Mar 21, 2004 1:09 pm
Location: Cambridge, MA

Post by magicrobotmonkey »

right thats what I'm saying - an examploe of a logical path is where part of your query is coming from a form.
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

right thats what I'm saying - an examploe of a logical path is where part of your query is coming from a form.
Those two things are different. You're talking about intentionally using data from the client. The question was about data being injected into the script, causing you to unknowingly use data from the client.

Imagine someone asking, "How can I be sure that someone hasn't poisoned my drink?" It doesn't really help them to say, "Don't put poison in your drink." :-)
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

magicrobotmonkey wrote:right thats what I'm saying - an examploe of a logical path is where part of your query is coming from a form.
and example of a logical path is a set of if statements of switch's, which unintentionally never set a variable ($sql in this example), therefore making any $_GET or $_POST $sql variable be used instead.

It doesn't happen often, and E_ALL should let you know if it is possible..
Post Reply