AW: [Care2002-developers] about patients and personnel in the same table

Fri, 12 Nov 2004 07:01:15 -0800 

Hi Daniel,

mysql 'sql inject' attack try :
SQL query: SELECT * FROM uers WHERE user='".$user."' AND
password='".$passwd."'"
instead of
SQL query: SELECT * FROM uers WHERE user="$user" AND password="$passwd"

The password: aa" or 1=1" will produce follwing (php) SQL-query:
"SELECT * FROM uers WHERE user='test" AND password='aa\" or 1=1\"'
instead of
"SELECT * FROM uers WHERE user=test AND password=aa or 1=1"

Effecive no positive result for the bad gui.

When I saw the idea of patients and personel data in the same table it was
also strange and new for me. But I think it's okay. Why not?

Robert

> -----Urspr�ngliche Nachricht-----
> Von: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Auftrag von
> Daniel Ignat
> Gesendet: Freitag, 12. November 2004 11:25
> An: [EMAIL PROTECTED]
> Betreff: Re: [Care2002-developers] about patients and personnel in the
> same table
>
>
> Hi!
>
> I saw that also and it seems to me a little bit
> annoying to mix personnel and patients.. but you
> also are right about duplicate data if someone
> from the personnel gets sick..
>
> so, my suggestion is this (for the main developers
> of care2x): is it possible to put an unchecked
> 'check box' in the 'search person' form, so that
> you may 'include', *if you want* the personnel
> data (as an exception), in the search query?..
>
> or maybe better, 2 radio buttons:
>   - only personnel, only patients
> this way you will not have to look for all the
> patients (including the filter) either when looking
> for personnel..
>
> it is not difficult for the developer who has done
> that form, but it would be a great feature for the
> user. there is only one check box with a text, then
> a filter in the sql query..
>
> PS. I realized that you may use the '%' sql operator
> in a query.. I don't know if this is a 'feature' or
> a 'bug'. It may be a security breach. Are you aware
> of the 'sql inject' attacks? It seems that there is
> no expression checking on the 'person search' input
> text.. (but i recognize i didnt have the time to
> check the code. so, sorry if this isnt true, i just
> had it in my mind since a while and wanted to warn you)
>
> PSS Example of an mysql 'sql inject' attack (I hope
> to remember it correctly, but if not, you will grasp
> the idea):
>
> <FORM>... etc
> user: test
> password: aa" and ""="""
>                    ^^^^^^^ - this disables your original
> query if you dont check the user input (which should
> always be done, with a regular expresion and other
> mechanisms, like the native functions of php related
> to slashes, command parsing (see doc for exec(), etc )
>
> SQL query: SELECT * FROM uers WHERE user="$user" AND
> password="$passwd"
>
>
> Regards,
>
> --
> Daniel Ignat
> PHP Programmer and SysAdmin
>
>
> Elpidio Latorilla wrote:
> > Hello Walter,
> >
> > I just suggested that possibility based on my understanding of
> your idea to
> > separate the personal data of the hospital's personnel from the
> patient data.
> > Since the personal data are the same, you can use the same
> structure.  Of
> > course this means that once a hospital's employee gets sick and himself
> > becomes that hospital's patient, you might need to reenter his
> personal data
> > as a patient. This means double work and redundancy of data.
> >
> > I personally wanted to avoid this redundancy thats why there is
> currently only
> > one person data table and it also contains the data of the hospital's
> > personnel.
> >
> > But I understood your last posting that you might need a true
> separation so I
> > suggested the previous solution.  Please correct me if I am wrong.
> >
> > Elpidio
> >
> > On Wednesday 10 November 2004 16:33, Walter Nunez wrote:
> >
> >>Thank you Elpidio.
> >>but, in this table..personnel and patients
> >>� Why they share the same table as original design?
> >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by:
> > Sybase ASE Linux Express Edition - download now for FREE
> > LinuxWorld Reader's Choice Award Winner for best database on Linux.
> > http://ads.osdn.com/?ad_idU88&alloc_id065&op=click
> > _______________________________________________
> > Care2002-developers mailing list
> > [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/care2002-developers
> >
> >
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Sybase ASE Linux Express Edition - download now for FREE
> LinuxWorld Reader's Choice Award Winner for best database on Linux.
> http://ads.osdn.com/?ad_idU88&alloc_id065&op=ick
> _______________________________________________
> Care2002-developers mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/care2002-developers
>



-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Care2002-developers mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/care2002-developers

Reply via email to