Home page logo

basics logo Security Basics mailing list archives

Overwriting an uninitialized local variable in PHP
From: Kellox <kellox () my-mail ch>
Date: Wed, 21 Feb 2007 16:32:37 +0100

I'm addressing a PHP with a MySQL DB system.

A PHP script looks like this:

$sort_mode = $_GET['sort'];
if($sort_mode = 'ascendend') $query = "....";
else if($sort_mode = 'descendend') $query = "....";
mysql_query($query) or die();

This script does actually contain some serious problem because $sort_mode is not sanitized. But this variable is never used in a SQL query, so even if you modify the GET Parameter to become a SQL injection it won't be executed by the DB because this variable is not passed to the engine. The actual variable containing the query is $query. But since there's no else clause, $query is uninitialized, when you pass a string to the variable $sort_mode that is not contained in the if-then-else statement (e.g. $sort_mode = 'does_not_exist')

My question is if there is a way to "initialize" the variable $query myself as an attacker from the outside, so that I can write my on SQL query.

This question is related to a webapp review I'm doing at the moment.

Thx in advance!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]