On Fri, Jul 04, 2003 at 10:26:47AM +1000, JacobRhoden wrote:
> Even though this is getting waaay off topic...
>   On Thu, 3 Jul 2003 07:46 pm, Matt Heath wrote:
>   > Ever seen something like this :
>   > $r = mysql_execute("select * from table_1 where id=$_GET[id];");
> Actually people do do the same thing and perl and you know it :P Both perl and 
> php support calling sql with parameters using ? to insert variables. If 
> someone does not know what language to use at all, I would suggest php simply 
> because its a good, quick, easy language to get started in without too much 
> difficulty. (In lots of ways including not needing to understand cgi 
> variables, and what the heck Content-type: text/html\n\n is, or learning how 
> to include perl librarys to do all that stuff for you!) 

You're missing the point.  $_GET[id] is one of the arguments used when
calling the PHP and as such is completely under the control of an
external user.  This permits all sorts of shenanigans that generally
go under the name "SQL injection attacks".  For instance, in this
case, if you could arange for the $_GET[id] variable to have the value
'joe OR 1=1' then you could dump out the whole of table_1.  I'm sure
that with a little thought you could come up with something much more

Exactly the same problem occurs with perl CGI --- any time you take
user input in an application, you've got to assume that there will be
hostile intent, and sanitize the input accordingly.  The basic step in
sanitization is to decide what characters are permitted in the input,
and filter out everything else.  You probably want to limit the length
of the input, and (depending on the precise circumstances) there may
be other criterea you can apply.  Only then should you pass the input
into your SQL select statement.



Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

Attachment: pgp00000.pgp
Description: PGP signature

Reply via email to