Re: Overwriting an uninitialized local variable in PHP



Technically it's not "uninitialized" as you would think of in some
other languages. Variables in PHP that are not explicitly set have
default values.

Of course, and as usual, all bets are off if register_globals is enabled.

On 2/21/07, Kellox <kellox@xxxxxxxxxx> wrote:
I'm addressing a PHP with a MySQL DB system.

A PHP script looks like this:

$sort_mode = $_GET['sort'];
if($sort_mode = 'ascendend') $query = "....";
else if($sort_mode = 'descendend') $query = "....";
...
mysql_query($query) or die();

This script does actually contain some serious problem because
$sort_mode is not sanitized. But this variable is never used in a SQL
query, so even if you modify the GET Parameter to become a SQL injection
it won't be executed by the DB because this variable is not passed to
the engine. The actual variable containing the query is $query. But
since there's no else clause, $query is uninitialized, when you pass a
string to the variable $sort_mode that is not contained in the
if-then-else statement (e.g. $sort_mode = 'does_not_exist')

My question is if there is a way to "initialize" the variable $query
myself as an attacker from the outside, so that I can write my on SQL query.

This question is related to a webapp review I'm doing at the moment.

Thx in advance!



---------------------------------------------------------------------------
This list is sponsored by: BigFix

If your IT fails, you're out of business - or worse. Arm your enterprise with BigFix, the single converged IT security and operations engine. BigFix enables continuous discovery, assessment, remediation, and enforcement for complex and distributed IT environments in real-time from a single console.
Think what's next. Think BigFix.

http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ITNext/
---------------------------------------------------------------------------



Relevant Pages

  • Re: Aggregate/Scalar or via code?
    ... If I were to use the aggregate or scalar functions for example, are they preferred over using code (such as PHP, VB/ASP et cetera)? ... // retrieve the entire column via a query, ... Do the operation via SQL if possible and then store it, or issue vanilla queries and do everything myself with code. ...
    (alt.php)
  • Re: Aggregate/Scalar or via code?
    ... using code (such as PHP, ... // retrieve the entire column via a query, ... sql query complexity - I presume you just gave the above as simple examples ... Perhaps I guess if I were to use loads of stored results, ...
    (alt.php)
  • RE: [PHP] How to Execute Multiple SQL Updates Using PHP
    ... [PHP] How to Execute Multiple SQL Updates Using PHP ... values) are being placed in the SQL query. ...
    (php.general)
  • Re: Ranking function in PHP/MySQL
    ... please post your SQL questions to a MySQL newsgroup. ... This was actually both an SQL and a php question. ... You get a resource from executing the query. ...
    (comp.lang.php)
  • Re: Determining whether to INSERT or UPDATE
    ... Aaron Gray wrote: ... I need to keep the logic in PHP rather than using SQL. ... I need to know whether I have a new page or not and I need concurrency in the PHP to know whether a page is already being editted and I need to keep a log of transactions. ... OK, if you need to find out if you have a new page or not, you've got to query the database to see if it exists. ...
    (comp.lang.php)