Re: [PHP] When did mysql_query quit allowing multiple queries separated by a semicolon
From: James Harrell [EMAIL PROTECTED] Mostly a research question. I recall (a long time ago - php3?) that some php packages could be compromised by injecting a secondary query though GET/POST variables when they were not properly sanitized. ex: $query=select a from $b; mysql_query($query); Inject $b=tablename; insert into a set col='c' Even the current PHP manual includes a fairly recent comment warning of such attacks, though the manual clearly states that only one query can be issued and a semicolon should not be included. My testing confirms that the second query isn't executed. Some web research leads me to believe this was changed, though I cannot find when. I'm pretty certain it was there at one point, since I found a vulnerability like this in an application I was auditing for security. Anyone recall or know if this change occurred in a specific PHP version? Is it reasonable to assume it will not be added back in? This is more than likely a limitation of the underlying MySQL C API, more than PHP. mysql_query() in the C API only accepts a single query for versions from 3.20.0 (or least I couldn't find a note in the mysql changelog that referenced this and it goes back to vesion 3.20.0). MySQL 4.1+ actually allows more than one query and the mysqli extension for PHP provides implementation to handle more than one query per mysql_query() call. So, it's reasonable to assume that this feature will actually be added back in. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] When did mysql_query quit allowing multiple queries separated by a semicolon
James Harrell wrote:
Hi PHP gurus,
Asked this question on the PHP-DB list, no response there. Hoping
someone here may have the answer. :)
Mostly a research question. I recall (a long time ago - php3?) that
some php packages could be compromised by injecting a secondary query
though GET/POST variables when they were not properly sanitized.
ex:
$query=select a from $b;
mysql_query($query);
Inject $b=tablename; insert into a set col='c'
Even the current PHP manual includes a fairly recent comment warning of
such attacks, though the manual clearly states that only one query can
be issued and a semicolon should not be included. My testing confirms
that the second query isn't executed.
Some web research leads me to believe this was changed, though I cannot
find when. I'm pretty certain it was there at one point, since I found
a vulnerability like this in an application I was auditing for security.
Anyone recall or know if this change occurred in a specific PHP version?
Is it reasonable to assume it will not be added back in?
Variables passed to sql query should be always sanitazed, there are also
other ways of attack. Search for advanced sql injection.
In the case above you can use:
$allowed_tables = array('table1', 'table2', 'table3');
if(!in_array($b, $allowed_tables)) die('sql attack');
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
