-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
Ezequiel Gutesman wrote: > Going back to Stefan's example: > >> $sql['id'] = mysql_real_escape_string($_GET['id']); >> $query = "SELECT * FROM table WHERE id=".$sql['id'] > > It is true that GRASP won't raise an alarm unless $sql['id'] has > non-numeric characters. This was a design decision since our description > of an attack does not include this example. After analyzing this > example, we cannot see how an attacker could perform a SQL-Injection > attack only with numeric characters; that's why GRASP will not detect > this as an attack. Unless I'm missing something, in this example I don't see anything forcing 'id' to be actually numerical. Unless forced to be numerical, see http://webappsec.org/projects/articles/091007.shtml#p4 for an example how to exploit it; even with mysql_real_escape_string(). - - Markus -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHQg8s1nS0RcInK9ARAhPRAJ9qtqG1bMMCoVfTM3A3j2pidt1KVgCeI2Lv pYcNBRegKEvqjArXkWJmtco= =vQdC -----END PGP SIGNATURE----- -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
