Page 1 of 1

Injection via URL

Posted: Thu Feb 17, 2005 12:57 am
by Stryks
Hi all, not so much a problem as a question.

I have read often that you shouldn't use variables like $sql to hold your SQL queries or the like, because if your register globals is on it can be overridden.

I have also read that this is overcome if you declare variables at the start of each page.

What I dont understand is, lets just say that I take info and run it through a mySQL query which is stored in the variable $sql. If I have the code in the format of:

Code: Select all

$sql = "query here";
{database call here}
Then how can the user override the value of $sql, given that it was set after any override the user made.

Sorry if this seems really simple, but I've never seen it stated HOW this is a threat.

Thanks

Posted: Thu Feb 17, 2005 1:02 am
by timvw
afaik that would be impossible.... it can only be exploited if it has not been initialised/set to something different...

anyway, nowadays this shouldn't be an issue anymore with register_globals off... and i believe they were talking about removing the register_globals completely from php5.2 or meaby already in 5.2

Posted: Thu Feb 17, 2005 6:13 am
by d3ad1ysp0rk
The only way I can think of is with some really crappy code..

Code: Select all

<?php
function getsql($id)&#123;
  return "SELECT password FROM users WHERE id = $id";
&#125;

if(!empty($_GET&#1111;'id']))&#123;
  $sql = getsql($_GET&#1111;'id']);
&#125;

mysql_query($sql);
?>
and that's with a mix of register_globals being on AND the person not knowing what they're doing in respect to programming.

Posted: Thu Feb 17, 2005 8:36 am
by magicrobotmonkey
one situation where its possible is if a query (or part of one (such as an ORDER BY for a sort or something)) is being passed through post or get. Of course, this is just bad practice.

Posted: Thu Feb 17, 2005 10:13 am
by d3ad1ysp0rk
magicrobotmonkey wrote:one situation where its possible is if a query (or part of one (such as an ORDER BY for a sort or something)) is being passed through post or get. Of course, this is just bad practice.
Well, that's really SQL injection in general, whereas I was thinking he was talking about:
I have read often that you shouldn't use variables like $sql to hold your SQL queries or the like, because if your register globals is on it can be overridden.

Re: Injection via URL

Posted: Fri Feb 18, 2005 12:53 am
by shiflett
I have read often that you shouldn't use variables like $sql to hold your SQL queries or the like, because if your register globals is on it can be overridden.
This is only true if there exists a logical path through your application by which the variable is never initialized.

To make sure you're aware of any accidental uses of uninitialized variables, turn error_reporting up to E_ALL. You should still disable register_globals to further reduce the risk.

Posted: Fri Feb 18, 2005 7:10 am
by magicrobotmonkey
right thats what I'm saying - an examploe of a logical path is where part of your query is coming from a form.

Posted: Fri Feb 18, 2005 11:58 am
by shiflett
right thats what I'm saying - an examploe of a logical path is where part of your query is coming from a form.
Those two things are different. You're talking about intentionally using data from the client. The question was about data being injected into the script, causing you to unknowingly use data from the client.

Imagine someone asking, "How can I be sure that someone hasn't poisoned my drink?" It doesn't really help them to say, "Don't put poison in your drink." :-)

Posted: Fri Feb 18, 2005 7:15 pm
by d3ad1ysp0rk
magicrobotmonkey wrote:right thats what I'm saying - an examploe of a logical path is where part of your query is coming from a form.
and example of a logical path is a set of if statements of switch's, which unintentionally never set a variable ($sql in this example), therefore making any $_GET or $_POST $sql variable be used instead.

It doesn't happen often, and E_ALL should let you know if it is possible..