On 30/03/11 08:34, Olaf van der Spek wrote:
On Wed, Mar 30, 2011 at 5:58 AM, Brian Moon<[email protected]> wrote:
Why does it need to know any type? The only important type is the expected
type. The actual variable type is not important as it is not always
indicative of the data within in PHP.
That's what I'm asking you. IMO it doesn't need to know any type.
If it really does, using %d and %s instead of ? solves that problem.
I believe there are cases where string -> int type conversion has a
performance cost (although I can't think of one right now).
On the pro side for quoting int types it would stop the 1=1 type
injections. But at the same time these could be filtered out on the PHP
side if we know the column needs to be an int.
I'm guessing what Olaf is proposing is basically every '?' replacement
goes through drizzle_escape_string() before being appended to the query.
In theory this is fine but I'd want to extensively test it, especially
with varbinary/blob types.
To be honest, that is not the only problem, I've seen SQL injection on
the table names too. A true processor for this would be able to replace
table and column names correctly.
There are several other things we can possibly do here though, such as:
1. By default multi-statements (ie. more than one SQL statement in a
single query) is disabled in libdrizzle and I think the drizzle PHP
module side too. But the Drizzle server needs to support this flag
properly.
2. Have a NoSQL, OO type interface too (hard to SQL inject when there is
no SQL). I'm thinking similar to NDBAPI but maybe a bit more
human-friendly.
3. Make the PHP module use the SELECT EXECUTE() syntax with user vars
for prepared statements. I'm not sure if you can inject using that,
will have to play, if you can it shouldn't be too hard to make a safer
version of it.
Basically you will never be entirely safe in any language unless your
inputs are sanitized correctly (as Bobby Tables' mother will tell you),
and with languages such as PHP having a low entry bar (not a bad thing)
unfortunately there are a lot of very vulnerable apps out there.
Kind Regards
--
Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/
_______________________________________________
Mailing list: https://launchpad.net/~drizzle-discuss
Post to : [email protected]
Unsubscribe : https://launchpad.net/~drizzle-discuss
More help : https://help.launchpad.net/ListHelp
