[prog] PHP script security
Dan Richter
daniel.richter at wimba.com
Mon Aug 18 12:05:06 EST 2003
>OK I'll bite. How will escaping out ' and \ make you safe from
>hackers?
Okay, let's say you have an online phone directory (say, for a company).
You invite the user to enter a name and your PHP code retrieves the phone
number. It might do it like this:
mysql_query("SELECT phone FROM the_table WHERE name='$name'");
Of course, $name is the name the user entered.
Note that we didn't tell the program to change any data, just retrieve it.
Then one day someone enters this name:
'; DROP TABLE the_table;
That makes your query:
SELECT phone FROM the_table WHERE name='';
DROP TABLE the_table;
';
The SQL parser will probably execute the two syntactically correct
statements before reporting an error on that quote at the end. And even the
problem of that ending part can be overcome with a little effort.
Of course, database permissions might not allow the web server to perform
that operation, but some less destructive attacks may still be possible. A
simple call to AddSlashes removes the possibility for abuse.
--
This may sound a little foreign to all you folks coming from a
non-Unix background, but PHP doesn't cost anything. You can use it
for commercial and/or non-commercial use all you want. You can give
it to your friends, print it out and hang it on your wall or eat it
for lunch. Welcome to the world of Open Source software! Smile, be
happy, the world is good.
- Quoted from http://www.php.net
More information about the Programming
mailing list