Re: PHPNuke SQL Injection / General SQL Injection

From: MightyE (mightye@mightye.org)
Date: 02/22/03

Next message: eflorio@edmaster.it: "Weak Encryption Scheme in Telindus 112x"

Previous message: nordi: "eject 2.0.10 vulnerability"
In reply to: David Walker: "Re: PHPNuke SQL Injection / General SQL Injection"
Next in thread: Oriol Carreas: "RE: PHPNuke SQL Injection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 22 Feb 2003 16:20:29 -0500
From: MightyE <mightye@mightye.org>
To: bugtraq@securityfocus.com

Actually, user supplied input from $_COOKIES, $_POST, and $_GET comes
slash-escaped, so if the user enters
' or 1=1
as their input, the sql statement will look like
where some_int='\' or 1=1'

This is determined by the PHP directive, magic_quotes_gpc. During
script execution, you can execute
if (!get_magic_quotes_gpc()){
//code to recurse global variables, calling addslashes() on their values
}
to ensure that all user supplied input is properly escaped.

The proper escaping for ' and " in most databases (excluding Oracle and
Sybase only, I believe), is to use \', \", and \\.

In Oracle and Sybase, ' and " are escaped as '' and "". Magic quotes
in PHP can be configured for Sybase compatibility, see the PHP website.

What I do on my portable code, where I can't know whether or not the
server it's running on has magic quotes enabled, is use a function like
this:

function escape($input){
if (get_magic_quotes_gpc()) return $input;
return addslashes($input);
}

and all user input through that. As far as I know, all major databases
accept quoted integers and interpret them as standard integers, so
*always* quote user input so that they cannot inject SQL.

David Walker wrote:

>When programming a system that creates sql strings based on passed in integers
>i.e. where some_int=$variable_from_querystring
>you must always do a check to confirm that that variable contains only numeric
>data.
>
>an alternate fix on sql servers that allow the format
>where some_int='1234' -- (quoted numbers)
>would be to do
>where some_int='replace($variable_from_querystring,"'","''")'
>This would cause a more than likely harmless error to occur whenever character
>occurs within the passed in numeric/integer variable.
>
>
>

Next message: eflorio@edmaster.it: "Weak Encryption Scheme in Telindus 112x"
Previous message: nordi: "eject 2.0.10 vulnerability"
In reply to: David Walker: "Re: PHPNuke SQL Injection / General SQL Injection"
Next in thread: Oriol Carreas: "RE: PHPNuke SQL Injection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]