Essentially any parameter passed over http is untyped so it should not be trusted to be anything but a string when inserted in a sql-query. Try enclosing the parameter value in quotes in the query, e.g.:
<emit source="sql" query="select * from mytable where id='&form.id:mysql;'">...</emit> Then mysql will do the type translation of the form.id value. If you pass id=1+show+tables you will get the row with id=1 returned, if you do id=show+tables mysql will not return any rows since it doesn't match anything. You can also try this to see how mysql handles the type conversions: <emit source="sql" host="misc" query="select 1 + 'my example'"> <insert variables="full" scope="_" /><br/> </emit> I think this is the relevant mysql-docs page MySQL :: MySQL 5.0 Reference Manual :: 12.2 Type Conversion in Expression Evaluation MySQL :: MySQL 5.0 Reference Manual :: 12.2 Type Conve... 12.2 Type Conversion in Expression Evaluation When an operator is used with operands of different types, type conversion occurs to make the operands compatibl... View on dev.mysql.com Preview by Yahoo Let us know if this helps /Peter >________________________________ > From: Michael A. Patton <[email protected]> >To: David Hunter <[email protected]> >Cc: [email protected]; [email protected] >Sent: Monday, June 30, 2014 5:31 AM >Subject: Re: Validating form arguments > > >Thanks for the pointer to the encoding page, I wanted that recently for >something else and noticed that the current doc (i.e. what I get on my >server in the docs tab) doesn't seem to have it any more. Why did it >disappear? > >Oh well, just encoding the variable in the SQL query doesn't actually >work for what I need. The form item is an int, not a string, so the >injection attacks don't need to use the characters that the mysql >encoding encodes, you just need spaces and letters. I guess using an >encoding will get around the prblem with my > <if expr='STRING(INT("&form.id;")) == "&form.id;"'> >example. Using > <if expr='STRING(INT("&form.id:mysql;")) == "&form.id:mysql;"'> >on my test page does seem to let me send all sorts of absurd things in >without causing anything but detected failure to occur. I'll have to >look at that some more to see if I think it'll really handle anything >you throw at it...but I think that's a solution (if somewhat >cumbersome). > >Man, security is hard... > > > -MAP > > > >
