that's the point. if the cracker can change only the end of
the query, it's not so usefull for him (he can maximum get other id)
How about a form of dos:
'...where id = '.$id
with $id = '23129 or 1'
this will select all entries in the table which could result in DoS...
So, ultimately this problem is the coders responsibility.
Cheerio, Marc.
-----Original Message-----
From: Marc Boeren [mailto:M.Boeren@guidance.nl]
Sent: Thursday, August 14, 2003 1:08 AM
To: internals@lists.php.net
Subject: RE: [PHP-DEV] Re: PHP 4.3.3RC3 Releasedthat's the point. if the cracker can change only the end of
the query, it's not so usefull for him (he can maximum get
other id)How about a form of dos:
'...where id = '.$id
with $id = '23129 or 1'
this will select all entries in the table which could result in DoS...
So, ultimately this problem is the coders responsibility.
Considering many PHP websites have at least one instance of this, it's
not just the coder's responsibility. PHP has had no SQL command
builder, so people have manually built the queries from argument strings
which can be as dangerous as fixed buffers on the stack in C. Mysql
doesn't allow (AFAIK) command chaining for this reason to lessen the
potential damage. Like you say, it could result in a DoS, but generally
not a total compromise. Avoiding dangerous functionality like sprintf
and chainable queries is a shared responsibility of the library designer
and the programmer that uses it.
"Marc Boeren" M.Boeren@guidance.nl wrote in message
news:7BE0F4A5D7AED2119B7500A0C94C58AC3D6CCC@DELLSERVER...
that's the point. if the cracker can change only the end of
the query, it's not so usefull for him (he can maximum get other id)How about a form of dos:
'...where id = '.$id
with $id = '23129 or 1'
this will select all entries in the table which could result in DoS...
So, ultimately this problem is the coders responsibility.
DoS are not equivalent to droping the whole database (in the fast and soft
case...).
most of the system allowing searches, can be DoSed easily.
moshe
Alle 11:18, giovedì 14 agosto 2003, moshe doron ha scritto:
<joke> Why not stopping support for <form>s then? Drop $_GET, $_POST and $_REQUEST! They're EVIL! That way everyone is *really* safe from sql injection.... :-) </joke>How about a form of dos:
'...where id = '.$id
with $id = '23129 or 1'
this will select all entries in the table which could result in
DoS...So, ultimately this problem is the coders responsibility.
DoS are not equivalent to droping the whole database (in the fast and
soft case...).
most of the system allowing searches, can be DoSed easily.
--
Cesare D'Amico - theboss (at) cesaredamico (dot) com
http://www.verona.linux.it - http://www.ziobudda.net
.."Questa ela mia vita, se ho bisogno te lo dico Sono io che guido, io che vado fuori strada, sempre io che pago, non e mai successo che pagassero per me..." [Ligabue]
.."Ma chi cazzo ho comprato????" - [Moratti, tutte le estati]
Cesare D'Amico wrote:
<joke> Why not stopping support for <form>s then? Drop $_GET, $_POST and $_REQUEST! They're EVIL! That way everyone is *really* safe from sql injection.... :-) </joke>
thats what PERLs "TAINT" mode is for ;)
(see for http://gunther.web66.com/FAQS/taintmode.html)
--
Hartmut Holzgraefe <hartmut@php.net