On Thu, 14 Aug 2003, moshe doron wrote:
What about hacking somehow the sqlite library to disallow chained queries (or at least do it optionally)?
This behavior is *huge* security hole, allow to the cracker drop ur database using simple select where query.
How is this a security hole?
E.g.,
$id = "0; drop bar"; lamesql_query("select foo from bar where id = $id");
I've read this entire thread, and while I think the thread is well taken in toto, I'm wondering why it is that:
$id = intval( "0; drop bar" );
if( $id > 0 )
{
lamesql_query( some_escape_string_function( "select foo from bar where id = '$id'" ) );
}
else
{
// Error?
}
Is so much harder to program or remember to do - it's just second nature once you get in the habit of doing it.
Failing to account for one of the the core cardinal rules that you never ever ever trust user input as a programmer is just bad programming, not the fault of the language you do it in, just as it wouldn't be the fault of the text editor you used or the computer you were working on.
Casting and escape_string()'ing and quoting your field values are just some of the good practices when working with a database or dropping out to a shell. However you go about it, it's imperative to understand your underlying data, datasource, and exactly how the data gets sent to and from your datasource.
The security hole described herein lies almost entirely on the programmer...and probably should.
-- mjh
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
