From: "James Harrell" <[EMAIL PROTECTED]> > Mostly a research question. I recall (a long time ago - php3?) that > some php packages could be compromised by injecting a secondary query > though GET/POST variables when they were not properly sanitized. > > ex: > $query="select a from $b"; > mysql_query($query); > > Inject $b="tablename; insert into a set col='c'" > > Even the current PHP manual includes a fairly recent comment warning of > such attacks, though the manual clearly states that only one query can > be issued and a semicolon should not be included. My testing confirms > that the second query isn't executed. > > Some web research leads me to believe this was changed, though I cannot > find when. I'm pretty certain it was there at one point, since I found > a vulnerability like this in an application I was auditing for security. > > Anyone recall or know if this change occurred in a specific PHP version? > Is it reasonable to assume it will not be added back in?
This is more than likely a limitation of the underlying MySQL C API, more than PHP. mysql_query() in the C API only accepts a single query for versions from 3.20.0 (or least I couldn't find a note in the mysql changelog that referenced this and it goes back to vesion 3.20.0). MySQL 4.1+ actually allows more than one query and the mysqli extension for PHP provides implementation to handle more than one query per mysql_query() call. So, it's "reasonable to assume" that this "feature" will actually be added back in. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
