Re: [PHP] Parse error?

Sat, 15 Nov 2003 15:20:33 -0800 

Thanks for the help, and pointing out the security risk, Chris & David!

Regards,

Frank
----- Original Message ----- 
From: "Chris Shiflett" <[EMAIL PROTECTED]>
To: "David Otton" <[EMAIL PROTECTED]>; "Frank Keessen"
<[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Saturday, November 15, 2003 11:05 PM
Subject: Re: [PHP] Parse error?


> --- David Otton <[EMAIL PROTECTED]> wrote:
> > I can't be bothered to figure out a test case, but you apparently have
> > a SQL injection risk with your code. You're assuming that the data from
> > the client is correct.
>
> This is a very good point. To highlight an example in the sample code you
> provided (that David is referencing, I assume), look at the following:
>
> >     foreach ($_POST['accomodatieid'] as $Key => $Value)
> >     {
> >          $query = "INSERT INTO ttra (reisid, accomodatieid)
> >                    VALUES ($id2, $Value)";
> >          $result = mysql_query ($query)
>
> You're using values from $_POST (which can be anything, since it's data
> supplied by a user, potentially a malicious one) directly in the SQL
> statement that you send to MySQL. This grants a lot of power and
> flexibility to the user, which is very dangerous.
>
> In addition, you loop through $_POST, so that even unexpected data might
> be used. This is even worse than expected data with an unexpected format.
>
> To fix this, assign the data you find in $_POST to another variable (or
> array) once you determine that it is valid. For example:
>
> $safe = array();
> if ($_POST['foo'] is valid data)
> {
>      $safe['foo'] = $_POST['foo'];
> }
>
> Then, you can use the $safe array, and only a flaw in your data filtering
> (whatever code you use for "is valid data" above) will create the same
> security hole that you currently have.
>
> Hope that helps.
>
> Chris
>
> =====
> Chris Shiflett - http://shiflett.org/
>
> PHP Security Handbook
>      Coming mid-2004
> HTTP Developer's Handbook
>      http://httphandbook.org/
> RAMP Training Courses
>      http://www.nyphp.org/ramp
>
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to