Home page logo

bugtraq logo Bugtraq mailing list archives

Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)
From: rvdm () CISTRON NL (van der Meulen, Robert)
Date: Sat, 5 Feb 2000 12:47:17 +0100

Quoting rain forest puppy (rfp () WIRETRIP NET):
----[ 3. Solution


In the end, *all* (let me repeat that... **ALL**) incoming user data
should be passed through quote(), onlynumbers(), or scrubtable()...NO
EXCEPTIONS!  Passing user data straight into a SQL query is asking for
someone to tamper with your database.

New versions of wwwthreads are available from www.wwwthreads.com, which
implement the solutions pretty much as I've described them here.

If the script acessing the database uses DBI, it's better to handle a query
the following way:

$sth=$dbh->prepare("INSERT INTO table (foo,bar) VALUES (?,?)");
$sth->execute($evil-unquoted-string, $evil-unquoted-other-string);

Using the '?' placeholders takes care of quoting, and allows re-execute()ing
the query with different parameters.
I must admit here, that not all DBI drivers support placeholders, but most do.
ofcourse catch the results, and check them. Insertion of non-numerics into
your database is checked when you actually _do_ the insert.



|      rvdm () cistron nl - Cistron Internet Services - www.cistron.nl        |
|          php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security             |
|         My statements are mine, and not necessarily cistron's.           |

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]