[prog] Placeholders and earlier versions of PHP

[Mary]

On Tue, May 03, 2005, Jacinta Richardson wrote:
> It's the whole: never trust anything that came in from the user  approach.  
> It's very important because curious users, stupid users and malicious users 
> might all give your programs crappy data which you'd rather not be putting 
> into your db anyway.

It's not just crappy data. It's malicious commands. You might think
people put in $NAME="Susan", so you run this command:

    SELECT * FROM Users WHERE Name='$NAME';

which is in this case becomes the innocuous command

    SELECT * FROM Users WHERE Name='Susan';

But what if someone puts in $NAME="';DROP DATABASE;". Then you get:

    SELECT * FROM Users WHERE Name=''; DROP DATABASE;';

The last of the three commands is "';" which SQL doesn't like, but
they've managed to successfully close your quotes by including ' at the
start of $NAME and thereby gotten the SQL to run DROP DATABASE.
(Assuming the MySQL user has permission to do that, but see below: even
SELECT statements can be dangerous.)

Or they might do $NAME="'; SELECT CreditCardNumber FROM Users;" and the
command becomes:

    SELECT * FROM Users WHERE Name=''; SELECT CreditCardNumber FROM Users;';

In some scripts, that will cause every credit card number in the
database to be displayed on screen. (Well, usually you should be
encrypting them, but other personal information like addresses are
normally stored in clear text.) If you're wondering how they know the
column name -- well, people don't usually make them too hard to guess,
and you could always run the relevant SQL commands to find them out
before running the above.

These are extremely well-known attacks too, not some kind of academic
concern. If you run scripts exposed to untrusted users, you'll see this
stuff attempted fairly soon. The most important thing to avoid is
letting users insert extra quotes into database queries without espacing
the quotes.

-Mary