OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)
From: van der Meulen, Robert (rvdmCISTRON.NL)
Date: Sat Feb 05 2000 - 05:47:17 CST

Quoting rain forest puppy (rfpWIRETRIP.NET):
> ----[ 3. Solution

<cut>

> In the end, *all* (let me repeat that... **ALL**) incoming user data
> should be passed through quote(), onlynumbers(), or scrubtable()...NO
> EXCEPTIONS! Passing user data straight into a SQL query is asking for
> someone to tamper with your database.
>
> New versions of wwwthreads are available from www.wwwthreads.com, which
> implement the solutions pretty much as I've described them here.

If the script acessing the database uses DBI, it's better to handle a query
the following way:

$sth=$dbh->prepare("INSERT INTO table (foo,bar) VALUES (?,?)");
$sth->execute($evil-unquoted-string, $evil-unquoted-other-string);

Using the '?' placeholders takes care of quoting, and allows re-execute()ing
the query with different parameters.
I must admit here, that not all DBI drivers support placeholders, but most do.
ofcourse catch the results, and check them. Insertion of non-numerics into
your database is checked when you actually _do_ the insert.

Greets,
        Robert/Emphyrio 

--

|      rvdmcistron.nl - Cistron Internet Services - www.cistron.nl        |
|          php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security             |
|         My statements are mine, and not necessarily cistron's.           |