Page 1 of 1
not quoting before running this query - insecure?
Posted: Fri Aug 04, 2006 3:08 pm
by Luke
is there a vulnerability by doing this?
Code: Select all
$db->select("SELECT * FROM table WHERE username = " . $unescaped_user_input);
Is it just when data is saved to a database that it can be harmful?
Posted: Fri Aug 04, 2006 3:27 pm
by Chris Corbyn
Code: Select all
$unescaped_user_input = "''; delete from table where 1";
$db->select("SELECT * FROM table WHERE username = " . $unescaped_user_input);
Posted: Fri Aug 04, 2006 3:31 pm
by Luke

thanks
So it needs to be filtered, but is escaping it necessary?
EDIT: Wait escaping those quotes would prevent that, huh?
Posted: Fri Aug 04, 2006 3:59 pm
by Benjamin
d11wtq wrote:Code: Select all
$unescaped_user_input = "''; delete from table where 1";
$db->select("SELECT * FROM table WHERE username = " . $unescaped_user_input);
That won't work because mysql_query will not execute multiple queries.
Posted: Fri Aug 04, 2006 4:04 pm
by Luke
yea I tried it and couldn't get it to work, but I figured I did something wrong (because 99% of the time, that is the case)
Posted: Fri Aug 04, 2006 4:05 pm
by Jenk
= auto login.
Not to mention on most systems the first ID will be the admin's id, thus if any privileges are selected.. you'll have admin powers.
Posted: Fri Aug 04, 2006 4:15 pm
by Benjamin
I would create a validation class that validates common post variables. You can then use the same class for everything, ie the signup form, lost password form, login form, etc.. This gives you several layers of protection.
Code: Select all
$validate = new validation($unescaped_user_input);
try {
if (!$validate->username) throw new Exception("Invalid Username.");
$db->select("SELECT * FROM `table` WHERE `username`='" . mysql_real_escape_string($unescaped_user_input) . "' LIMIT 1");
} catch (Exception $e)
{
echo $e->getMessage();
}
Posted: Fri Aug 04, 2006 4:20 pm
by Luke
can't get that to work either (not saying it isn't true... more that i suck at hacking)
Posted: Fri Aug 04, 2006 4:21 pm
by Luke
astions wrote:I would create a validation class that validates common post variables. You can then use the same class for everything, ie the signup form, lost password form, login form, etc.. This gives you several layers of protection.
Code: Select all
$validate = new validation($unescaped_user_input);
try {
if (!$validate->username) throw new Exception("Invalid Username.");
$db->select("SELECT * FROM `table` WHERE `username`='" . mysql_real_escape_string($unescaped_user_input) . "' LIMIT 1");
} catch (Exception $e)
{
echo $e->getMessage();
}
well I already do that... I was merely wondering whether or not mysql_real_escape_string is necessary in this case
Posted: Fri Aug 04, 2006 4:23 pm
by Benjamin
Code: Select all
SELECT * FROM table WHERE username = 'blah' OR 1 = 1;
That should work, the ' probably threw it off.
Posted: Fri Aug 04, 2006 4:25 pm
by Luke
strangely enough, it doesn't. and neither does
Code: Select all
select * from Users WHERE username='blah' or user_id = 1;
Posted: Sun Aug 06, 2006 3:51 pm
by jmut
hey all,
I think there is some misunderstanding here as to what escaping and validation really is.
ESCAPING is to prepare a given content to work/present itself adequately in given context (db,html whatever).
ESCAPING(preparing WHATEVER data to be savely introduced to given context) has absolutely nothing todo with validation(data we would consider harmuful to our application at some point).
so when you want to store/select data in DB for example, you just need to escape it (only realiable way is either using mysql_real_escape_string() or prepared queries)...otherwise you fail to ensure your data will wholly/unchanged go into a database and you may experience failed/injected sql query.
Another example(for other context) is using htmlentities to properly introduce whatever data to html context.
No whether this data is valid for your application....it is up to you to decide...whethear or not so...you escape data to fit correctly into its new context.