On Wed, Mar 30, 2011 at 11:08 AM, Andrew Hutchings <[email protected]> wrote: > I'm guessing what Olaf is proposing is basically every '?' replacement goes > through drizzle_escape_string() before being appended to the query. In > theory this is fine but I'd want to extensively test it, especially with > varbinary/blob types.
Testing is always good. > To be honest, that is not the only problem, I've seen SQL injection on the > table names too. A true processor for this would be able to replace table > and column names correctly. Good point. But that's also easy to solve. > There are several other things we can possibly do here though, such as: > > 1. By default multi-statements (ie. more than one SQL statement in a single > query) is disabled in libdrizzle and I think the drizzle PHP module side > too. But the Drizzle server needs to support this flag properly. No benefit if the above is implemented. > 2. Have a NoSQL, OO type interface too (hard to SQL inject when there is no > SQL). I'm thinking similar to NDBAPI but maybe a bit more human-friendly. Might be nice, but can't entirely replace the normal interface, so the above still needs to be implemented. > 3. Make the PHP module use the SELECT EXECUTE() syntax with user vars for > prepared statements. I'm not sure if you can inject using that, will have > to play, if you can it shouldn't be too hard to make a safer version of it. What's the benefit over my suggestion? > Basically you will never be entirely safe in any language unless your inputs > are sanitized correctly (as Bobby Tables' mother will tell you), and with > languages such as PHP having a low entry bar (not a bad thing) unfortunately > there are a lot of very vulnerable apps out there. I blame the developer that only added mysql_query() without adding a proper safe API. It really isn't that hard to solve this. Who's responsible for the Drizzle PHP connector? -- Olaf _______________________________________________ Mailing list: https://launchpad.net/~drizzle-discuss Post to : [email protected] Unsubscribe : https://launchpad.net/~drizzle-discuss More help : https://help.launchpad.net/ListHelp
