Re: [nyphp-talk] Is there something wrong with this SQL query in PHP?

Tue, 14 Aug 2007 14:31:05 -0700 

Hello,

I just did a security audit for a site. This was a huge problem they had:

doing, "...where id = $_POST['id']"
Not only can you run sql commands you could update all the records where id=1 or id > 1 
via SQL injection.
The larger problem they had was that all the sql was being hardcoded, no use of a function anywhere. We had to go back and remove all the SQL to be called from a function, 
then have that function do the proper validation.

They had the exact same problems w/XSS, no input validation.

Chris, nice book btw, my #1 reference for PHP Security.

- Ben

Ben Sgro, Chief Engineer
ProjectSkyLine - Defining New Horizons
This e-mail is confidential information intended only for the use of the individual to whom it is addressed. ----- Original Message ----- From: "csnyder" <[EMAIL PROTECTED]> 
To: "NYPHP Talk" <talk@lists.nyphp.org>
Sent: Tuesday, August 14, 2007 5:00 PM
Subject: Re: [nyphp-talk] Is there something wrong with this SQL query in PHP? 



On 8/14/07, Anthony Wlodarski <[EMAIL PROTECTED]> wrote:
So I will definitely in the future keep an out for direct $_POST variables directly in a SQL query (I will just save a local copy from now on and use 
that.).


No, you're missing the point. It isn't direct use of the variable from
$_POST, it's that the value might contain quotes or other characters
that can cause the database to execute SQL that you don't expect.

Use the mysql_real_escape_string() function on all values before
including them in a query:

$query = "SELECT * FROM `jobsdb` WHERE `id`
=".mysql_real_escape_string($_POST['id'])."";


--
Chris Snyder
http://chxo.com/
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php 

_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php

Reply via email to