On 19.11.2007, at 09:00, Stefan Esser wrote:
Wietse Venema schrieb:
Stefan Esser:
2) Using mysql_real_escape_string() on user input does not make
it safe
for SQL. It only makes SQL strings safe.
Example: "SELECT * FROM table WHERE id=".mysql_real_escape_string
($id)
is NOT secure but will result in no taint warning
Can you give a specific example? I'd like to know how likely such
things would be in real code.
I have to search for an example where mysql_real_escape_string is used
wrongly like this....
However the "bigger" problem is that if the statement is like
"SELECT * FROM table WHERE id=$id"
which *IS* quite common in insecure code your patch will give the
following warning: "contains data that is not converted with
mysql_real_escape_string()"
This gives the message to the uneducated user (and that is the one you
want to protect) to write something like this in his code.
"SELECT * FROM table WHERE id=".mysql_real_escape_string($id)
The PHP taint mode will stop crying and that teaches the developer the
WRONG message.
And just look into blogs... People even add user input into SQL
comments
and wrongly use mysql_real_escape_string() there, which is completely
nonsense.
Actually you are missing the connection object in that
mysql_real_escape_string() call to make sure that the connection
encoding is taken into account. I think its very important that we
make sure people do not forget this one as its a new addition. So the
more examples we have showing with the connection object as the 2nd
parameter the better.
regards,
Lukas
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
