> -----Original Message----- > From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 14, 2003 10:53 PM > To: Steven Brown > Cc: [EMAIL PROTECTED] > Subject: RE: [PHP-DEV] Re: PHP 4.3.3RC3 Released > > > On Thu, 14 Aug 2003, Steven Brown wrote: > > I found an example of passing unvalidated input into a SQL query, I > > didn't say it would lead to an exploit. The point was, > yes, even you > > guys make this mistake. It's not a "Well, you should have > learned to > > write secure code" type of issue. Everyone makes this mistake > > occasionally. > > Unvalidated in what sense? We don't validate for multiple > queries because we have no need to do so.
Unvalidated in that I could modify the SQL query as my text in the URL made it into the query unvalidated, unquoted, and unescaped. To recap the thread, the argument was originally between moshe and the list that sqlite's chained queries (I assume something like "select * from foo; drop foo") were a security hazard and should be disabled due to it upgrading all SQL command validation bugs (possible database compromise bugs, e.g., modification of certain UPDATEs) to guaranteed database compromise bugs. The list prestented the argument that any validation bug is the sign of a bad programmer not validating user input so this was a non-issue: (Derick): Well, that's not our problem if people don't verify user input. Every article dealing with the simplest security problem mentions this. I don't think it's a good idea to break this functionality. (yes, even MySQL has this in version 4.1+) (Derick): But it's a *user* problem (the developer), not a PHP problem. PHP should not break nice functionality in an extension (such as chaining queries) because of people too lazy to verify user input. I jumped in at this point and pointed out all developers occasionally have validation mistakes in their code, php.net included (see my earlier post with an example query against php.net). It's the wrong mindset to think "any bug should be a full compromise bug, as it's the programmer's fault". My proposed solution was to only allow something as dangerous as chained queries to be used through a SQL command builder interface, and ideally to deprecate the query functions that accept query strings. There are too many PHP hacks happening already due to SQL injections. There's no reason for this to be a class of bug at all. A command builder totally eliminates these kind of bugs. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
