List:General Discussion« Previous MessageNext Message »
From:Paul DuBois Date:December 24 1999 7:12pm
Subject:Re: SECURITY: Some comments about WWW applications
View as plain text  
At 2:38 AM -0500 1999-12-24, Andy wrote:
>At 07:00 AM 12/23/99 -0800, you wrote:
>>Some people might write a website to take user input and directly stuff it
>>into an SQL statement.  Say that your Perl code were to look like:
>>
>
>  >$dbh->do( "UPDATE mytable SET selection=\"$userinput\" WHERE
>>id=\"$moreuserinput\"");
>  >
>>What if the user entered $moreuserinput as (15" OR "1"="1)?  Then it would
>>change the selection for _all_ rows!
>
>I'm not sure I understand how the input (15" OR "1"="1) would cause the
>selection field for every row to be updated. Could you explain more?
>
>I'm new to this security issue. Please bear with me.
>
>>All data from the user should be appropriately quoted before it's sent to
>>MYSQL.  DBI's use of ? is ideal for this:
>>
>>$dbh->do( "UPDATE mytable SET selection=? WHERE id=?", $userinput,
>>$moreuserinput);
>>
>>This will have the same effect for "normal" user data, but it will always
>>quote the user data as appropriate.
>
>I'm using php instead of perl, what should I do in the above case?

In Perl DBI, you use the quote() method or placeholders, and then you don't
need to add quotes around the value in the query string, because both of
those methods will add them for you.

$moreuserinput = $dbh->quote ($moreuserinput);
$dbh->do( "UPDATE mytable SET selection=\"$userinput\" WHERE
id=$moreuserinput");


In PHP, use addslashes(), but in this case you do need to add the quotes
around the value, because addslashes() doesn't do it for you.

$moreuserinput = addslashes ($moreuserinput);
$result = mysql_query ( "UPDATE mytable SET selection=\"$userinput\" WHERE
id=\"$moreuserinput\"");

-- 
Paul DuBois, paul@stripped
Thread
SECURITY: Some comments about WWW applicationsTonu Samuel23 Dec
  • Re: SECURITY: Some comments about WWW applicationsAndrian Pervazov23 Dec
  • Re: SECURITY: Some comments about WWW applicationsScott Hess23 Dec
Re: SECURITY: Some comments about WWW applicationsAndy24 Dec
  • Re: SECURITY: Some comments about WWW applicationsJames Lyon24 Dec
  • Re: SECURITY: Some comments about WWW applicationsScott Hess24 Dec
  • Re: SECURITY: Some comments about WWW applicationsPaul DuBois24 Dec