[prog] Placeholders and earlier versions of PHP

Jacinta Richardson jarich at perltraining.com.au
Tue May 3 10:26:31 EST 2005 

Mary wrote:
> On Tue, May 03, 2005, Jacinta Richardson wrote:
> 
>>It's the whole: never trust anything that came in from the user  approach.  
>>It's very important because curious users, stupid users and malicious users 
>>might all give your programs crappy data which you'd rather not be putting 
>>into your db anyway.
> 
> 
> It's not just crappy data. It's malicious commands.

Oh absolutely.  Malicious commands are the big reason why placeholders are so 
good.  Although strict data validation does help here a lot too.

> But what if someone puts in $NAME="';DROP DATABASE;". Then you get:
> 
>     SELECT * FROM Users WHERE Name=''; DROP DATABASE;';

Some databases, including mysql are smart enough to return an error on that kind 
of input.  When a program says to the database driver here is a (one, single) 
command to run, and then passes through 2 or more commands mysql will usually 
view it as a syntax error.

Of course not all databases do this and it may also depend a little on what the 
database driver says.  I haven't tried to pair up commands through PHP before so 
I don't know if the PHP driver takes advantage of this feature.  I know that the 
Perl mysql DBD does.

> The last of the three commands is "';" which SQL doesn't like, but
> they've managed to successfully close your quotes by including ' at the
> start of $NAME and thereby gotten the SQL to run DROP DATABASE.
> (Assuming the MySQL user has permission to do that, but see below: even
> SELECT statements can be dangerous.)
> 
> Or they might do $NAME="'; SELECT CreditCardNumber FROM Users;" and the
> command becomes:
> 
>     SELECT * FROM Users WHERE Name=''; SELECT CreditCardNumber FROM Users;';

Very true.

> These are extremely well-known attacks too, not some kind of academic
> concern. If you run scripts exposed to untrusted users, you'll see this
> stuff attempted fairly soon. The most important thing to avoid is
> letting users insert extra quotes into database queries without espacing
> the quotes.

I've seen it happen.  I've even demonstrated it to some suppliers of a client of 
mine who were swearing black and blue that the security bugs I was referring to 
didn't exist.

If you validate your data most of these problems go away.  What characters 
should a name have in them?  Alpha-numerics, spaces, apostrophes (warning), 
dots, underscores (maybe).  Semi colons?  Nope.  Well that will put a rain on 
someone's parade.

       Jacinta

-- 
    ("`-''-/").___..--''"`-._          |  Jacinta Richardson         |
     `6_ 6  )   `-.  (     ).`-.__.`)  |  Perl Training Australia    |
     (_Y_.)'  ._   )  `._ `. ``-..-'   |      +61 3 9354 6001        |
   _..`--'_..-_/  /--'_.' ,'           | contact at perltraining.com.au |
  (il),-''  (li),'  ((!.-'             |   www.perltraining.com.au   |

More information about the Programming mailing list