[prog] PHP script security

Dan Richter daniel.richter at wimba.com
Mon Aug 18 12:05:06 EST 2003


>OK I'll bite. How will escaping out ' and \ make you safe from
>hackers?

Okay, let's say you have an online phone directory (say, for a company). 
You invite the user to enter a name and your PHP code retrieves the phone 
number. It might do it like this:
    mysql_query("SELECT phone FROM the_table WHERE name='$name'");
Of course, $name is the name the user entered.

Note that we didn't tell the program to change any data, just retrieve it.

Then one day someone enters this name:
    '; DROP TABLE the_table;

That makes your query:
    SELECT phone FROM the_table WHERE name='';
    DROP TABLE the_table;
    ';

The SQL parser will probably execute the two syntactically correct 
statements before reporting an error on that quote at the end. And even the 
problem of that ending part can be overcome with a little effort.

Of course, database permissions might not allow the web server to perform 
that operation, but some less destructive attacks may still be possible. A 
simple call to AddSlashes removes the possibility for abuse.

-- 
  This may sound a little foreign to all you folks coming from a
  non-Unix background, but PHP doesn't cost anything. You can use it
  for commercial and/or non-commercial use all you want. You can give
  it to your friends, print it out and hang it on your wall or eat it
  for lunch. Welcome to the world of Open Source software! Smile, be
  happy, the world is good.
      - Quoted from http://www.php.net



More information about the Programming mailing list