Hi all,
I've been testing the security of some of my forms, and did find some nasty
holes in regards to the forms not being validated properly (and sometimes
not at all). Referring to the webpage;
http://www.php.net/manual/en/security.database.php#security.database.sql-inj
ection I should be able to create a valid query statement from the posted
form data, but it seems that my SQL server (MySQL) isn't accepting the
second (malicious) query that is prefixed with a semi-colon.
Example PHP code :
$query = "SELECT * FROM usertable WHERE uname = '$uname' AND upass =
'$password';
In my form password box, I type in this :
'; insert into user set uname ='geoff', upass='cracked'; /*
Since the connected user has insert privileges, I expect to see a new row in
the table, but instead see this error message :
You have an error in your SQL syntax near '; insert into usertable set uname
='geoff', upass='cracked'; /*' at line 10
The $query resulted in this :
SELECT * FROM usertable WHERE uname = '' AND uspass = ''; insert into
usertable set uname ='geoff', upass='cracked'; /*'.
It simply doesn't like the semi-colon in the query - I've written a
hard-wired php script, and this proves that the semi-colon is the culprit :
$query = "select * from updates order by `updated` desc LIMIT $mylimit;\n
select 1+1 as `updated`";
Again, the error :
You have an error in your SQL syntax near '; select 1+1 as `updated`' at
line 1
Naturally I'll be validating those forms, but the curiosity has now set it -
how can I make a valid query work?
Thanks,
Geoff
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
