Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:3909
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
To: "'Marc Boeren'" <M.Boeren@guidance.nl>, <internals@lists.php.net>
Date: Thu, 14 Aug 2003 01:15:33 -0700
Message-ID: <000201c3623c$3bfa11f0$1b0fa518@swbrown>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <7BE0F4A5D7AED2119B7500A0C94C58AC3D6CCC@DELLSERVER>
Importance: Normal
Subject: RE: [PHP-DEV] Re: PHP 4.3.3RC3 Released
From: swbrown@ucsd.edu ("Steven Brown")
References: <7BE0F4A5D7AED2119B7500A0C94C58AC3D6CCC@DELLSERVER>



> -----Original Message-----
> From: Marc Boeren [mailto:M.Boeren@guidance.nl] 
> Sent: Thursday, August 14, 2003 1:08 AM
> To: internals@lists.php.net
> Subject: RE: [PHP-DEV] Re: PHP 4.3.3RC3 Released
> 
> 
> 
> > that's the point. if the cracker can change only the end of
> > the query, it's not so usefull for him (he can maximum get 
> other id) 
> 
> How about a form of dos: 
> 
> '...where id = '.$id
> 
> with $id = '23129 or 1'
> 
> this will select all entries in the table which could result in DoS...
> 
> So, ultimately this problem is the coders responsibility.

Considering _many_ PHP websites have at least one instance of this, it's
not just the coder's responsibility.  PHP has had no SQL command
builder, so people have manually built the queries from argument strings
which can be as dangerous as fixed buffers on the stack in C.  Mysql
doesn't allow (AFAIK) command chaining for this reason to lessen the
potential damage.  Like you say, it could result in a DoS, but generally
not a total compromise.  Avoiding dangerous functionality like sprintf
and chainable queries is a shared responsibility of the library designer
and the programmer that uses it.