Re: Abusing poor programming techniques in webserver scripts V 1.0

From: Micha│ Pasternak (doc@lublin.t1.pl)
Date: 07/30/01


Date: Mon, 30 Jul 2001 01:32:22 +0200
From: Micha│ Pasternak <doc@lublin.t1.pl>
To: memonix@roses-labs.com
Subject: Re: Abusing poor programming techniques in webserver scripts V 1.0
Message-ID: <20010730013222.A51721@lublin.t1.pl>

There are also other poor-coding techniques I recently thought about:

- choosing/entering SQL field name in form, like:

    <select name=field>
      <option value=title>title
      <option value=author>author
    </select>
    
   and then:
    
     query("select * from table where $field LIKE '%text%");
     
   can be easily exploited. Instead, use:
   
    <select name=field>
      <option value=0>title
      <option value=1>author
    </select>
    
    and then:
    
     switch ($field) {
       case 0:
       default:
         $sql_field = "title";
         break;
       case 1:
         $sql_field = "author";
         break;
     }
     query("select * from table where $sql_field LIKE '%text%");
   
- when you want to include a file given as CGI/PHP script parameter, it's
  best to *remove* all dots ('.') and first '/' sign. Well, you could also
  add backlash in front of the dots.
  
  Replacing '..' to '.' using str_replace is bad ('....' => '..')

Any other ideas?

-- 
[ Michal Pasternak     doc@lublin.t1.pl     +48606570000  ]
[ sklepy internetowe, bazy danych, programy na zamˇwienie ]
[ . .. ..- .- . .. http://lublin.t1.pl . .-. .--.. . . .- ]



Relevant Pages