mailing list archives
Overwriting an uninitialized local variable in PHP
From: Kellox <kellox () my-mail ch>
Date: Wed, 21 Feb 2007 16:32:37 +0100
I'm addressing a PHP with a MySQL DB system.
A PHP script looks like this:
$sort_mode = $_GET['sort'];
if($sort_mode = 'ascendend') $query = "....";
else if($sort_mode = 'descendend') $query = "....";
mysql_query($query) or die();
This script does actually contain some serious problem because
$sort_mode is not sanitized. But this variable is never used in a SQL
query, so even if you modify the GET Parameter to become a SQL injection
it won't be executed by the DB because this variable is not passed to
the engine. The actual variable containing the query is $query. But
since there's no else clause, $query is uninitialized, when you pass a
string to the variable $sort_mode that is not contained in the
if-then-else statement (e.g. $sort_mode = 'does_not_exist')
My question is if there is a way to "initialize" the variable $query
myself as an attacker from the outside, so that I can write my on SQL query.
This question is related to a webapp review I'm doing at the moment.
Thx in advance!