> -----Original Message----- > From: John Coggeshall [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 14, 2003 10:17 PM > To: Steven Brown > Cc: 'moshe doron'; PHP Internals > Subject: RE: [PHP-DEV] Re: PHP 4.3.3RC3 Released > > > > It's insanely easy to make such mistakes though, and > php.net is full > > of such problems (I found 2 in 15 minutes), so it's not a 'stupid > > I'd like to hear where these problems are, off list of course.
I already posted one example in this thread. > UPDATE auth_user set password='foo' WHERE username='admin' -- > WHERE username='realusername' > > As you can see, even in mysql it is very easy to do evil > despite your claims. But you had to do that on an UPDATE query, and you couldn't inject arbitrary SQL. Compare that to the alternative of string-built chained queries, where you can do whatever you want 100% of the time. That's the point, not to make every mistake a guaranteed 100% full exploit by properly designing the interface, e.g., requiring a SQL command builder interface. Same reason UNIX has more than just 'root'; you might hack 'games', but it might not lead to a full compromise. > IMO and I believe the opinion of most of > the internals community it is not the responsibility of PHP > to correct these and other potential security holes. > > Please let this issue drop. I'll let it drop, but I think your views will result in dangerous interfaces and I hope you reconsider. If you enable chained queries in the mysql extension as-is for example, it will enable a massive flood of hacking. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
