On Fri, 2002-02-08 at 04:43, * R&zE: wrote:
> Hi folks,
> I don't know if everyone ever knew this, but I haven't been able to
> find anything about this, anywhere...
> odbc_execute has a very dangerous 'feature'. I would like to call it
> a bug, because someone has implemented it on purpose I should call
> it a feature...
> odbc_execute takes two arguments; the odbc result-ID, and
> an array containing the parameters for this statement. So far so
> good. Works perfectly. In the parameters you can put any data. Any
> data! So you can enter characters like eg. &, *, %... you name it.
> You can also enter single quotes ('). Nice. Noop... not nice. If you
> put a single quote at the start of the parameter and at the end PHP
> does something very scary... it reads the _file_(!) and stores it in
> the database. So if you would have a parameter:
> you would get an error telling you that the file "myname" couldn't
> be opened. But... if you use this parameter:
> No problem! The contents of your password file is stored in the
> database. Any file readable for your webserver can be 'used' this
> way. Any file!
> So, imagine you have some site containing a textarea input in the
> form, some user can easily type:
> and then submit the form. When you also have the possibility on this
> site for the user to take a look at the data he entered (and this is
> a very common feature), he gets to see the contents of your password
> file. And he can do this with any file(!!!!). As long as it's
> readable for the webserver, users can very easily get the contents
> of the file!
*Always* validate your data. If you validate your data and never trust
anything which comes from the client side of the connection, your
problem goes away. I mean, you wouldn't pass user data to exec()
or fopen() without some serious checking, would you? ;)
Sure, PHP could try to prevent every possible problem from cropping up,
but that would make the language pretty useless. It's up to the coder
to not program security flaws.
Torben Wilson <[EMAIL PROTECTED]>
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php