Hi PHP gurus,
Asked this question on the PHP-DB list, no response there. Hoping someone here may have the answer. :)
Mostly a research question. I recall (a long time ago - php3?) that
some php packages could be compromised by injecting a secondary query
though GET/POST variables when they were not properly sanitized.
ex: $query="select a from $b"; mysql_query($query);
Inject $b="tablename; insert into a set col='c'"
Even the current PHP manual includes a fairly recent comment warning of such attacks, though the manual clearly states that only one query can be issued and a semicolon should not be included. My testing confirms that the second query isn't executed.
Some web research leads me to believe this was changed, though I cannot find when. I'm pretty certain it was there at one point, since I found a vulnerability like this in an application I was auditing for security.
Anyone recall or know if this change occurred in a specific PHP version? Is it reasonable to assume it will not be added back in?
Variables passed to sql query should be always sanitazed, there are also other ways of attack. Search for "advanced sql injection".
In the case above you can use:
$allowed_tables = array('table1', 'table2', 'table3');if(!in_array($b, $allowed_tables)) die('sql attack');-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
