NYCPHP Meetup

[Ben Sgro (ProjectSkyLine)]

Hello,

I just did a security audit for a site. This was a huge problem they had:

doing, "...where id = $_POST['id']"

Not only can you run sql commands you could update all the records where 
id=1 or id > 1
via SQL injection.

The larger problem they had was that all the sql was being hardcoded, no use 
of a function
anywhere. We had to go back and remove all the SQL to be called from a 
function,
then have that function do the proper validation.

They had the exact same problems w/XSS, no input validation.

Chris, nice book btw, my #1 reference for PHP Security.

- Ben

Ben Sgro, Chief Engineer
ProjectSkyLine - Defining New Horizons

This e-mail is confidential information intended only for the use of the 
individual to whom it is addressed.
----- Original Message ----- 
From: "csnyder" <chsnyder at gmail.com>
To: "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Tuesday, August 14, 2007 5:00 PM
Subject: Re: [nycphp-talk] Is there something wrong with this SQL query in 
PHP?


> On 8/14/07, Anthony Wlodarski <aw at sap8.com> wrote:
>>
>> So I will definitely in the future keep an out for direct $_POST 
>> variables
>> directly in a SQL query (I will just save a local copy from now on and 
>> use
>> that.).
>
> No, you're missing the point. It isn't direct use of the variable from
> $_POST, it's that the value might contain quotes or other characters
> that can cause the database to execute SQL that you don't expect.
>
> Use the mysql_real_escape_string() function on all values before
> including them in a query:
>
> $query = "SELECT * FROM `jobsdb` WHERE `id`
> =".mysql_real_escape_string($_POST['id'])."";
>
>
> -- 
> Chris Snyder
> http://chxo.com/
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php