On Sat, 14 Apr 2001, Daniel Fisher wrote:
> There's something that I've always feared about interfacing with a database
> through the web:
>
> Let's say, that I create a table named 'USER_TABLE' with the following
> columns:
> ID INTEGER PRIMARY KEY NOT NULL
> FIRST_NAME VARCHAR(128)
> LAST_NAME VARCHAR(128)
> EMAIL_ADDRESS VARCHAR(128)
>
> Let's also say that I made a cgi script that took a parameter named 'ID' and
> displayed the user information appropriate for that ID by going into the
> database and performing the following statement:
>
> "SELECT * FROM USER_TABLE WHERE ID=".$query->param('ID')
>
> What I'm afraid of, is that in some databases, could the end user of the
> script wreak havoc on my database by "piggybacking" another SQL statement
> onto mine?
This is a hazard for an kind of data retrieved from a form via CGI. You
should always validate data before passing it into your script. I usually
have an intermediate script or function that validates the data before
passing it on. In your example, it would fail because the ID value passed
was not an integer.
> For an attack of this type, it would be fairly easy to verify that the ID
> being passed is an integer and does not contain any non-numeric characters,
> *but* I'm sure that there are times that folks do want to select on
> alpha-numeric entries and then this attack could be used.
Again, you would have to validate the parameter before passing it into the
script. You could, for instance, make your alphanumeric IDs a specific
pattern like GH156, and use Perl's superb pattern matching facilities to
validate it.
The same problem exists for scripts that use the system() call -- you have
to validate any data passed to it before making the call. You should
NEVER assume any data passed to your script is valid, and you need to
prove to the software that it is valid before any processing is done on
it. This has been a frequent problem in C programs that don't check the
sizes of data passed into it (specially for statical;ly allocated data
structures), resulting in a buffer overflow in some cases and being
vulnerable to security breaches. This is just safe programming practice,
especially when the data is coming from an untrusted source, and when you
are doing stuff on the web, there are no trusted sources of data.
-- Brett
http://www.chapelperilous.net/btfwk/
------------------------------------------------------------------------
A man is already halfway in love with any woman who listens to him.
-- Brendan Francis
