[PHP-DOC] cvs: phpdoc /en/security database.xml

[Jakub Vrana]

vrana           Sun Feb 13 16:50:05 2005 EDT

  Modified files:              
    /phpdoc/en/security database.xml 
  Log:
  First SQL injection example is FUD (reported by Dr. Werner Popken)
  
http://cvs.php.net/diff.php/phpdoc/en/security/database.xml?r1=1.9&r2=1.10&ty=u
Index: phpdoc/en/security/database.xml
diff -u phpdoc/en/security/database.xml:1.9 phpdoc/en/security/database.xml:1.10
--- phpdoc/en/security/database.xml:1.9 Mon Nov  8 07:10:21 2004
+++ phpdoc/en/security/database.xml     Sun Feb 13 16:50:05 2005
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.9 $ -->
+<!-- $Revision: 1.10 $ -->
 <!-- splitted from ./index.xml, last change in rev 1.66 -->
   <chapter id="security.database">
    <title>Database Security</title>
@@ -158,56 +158,6 @@
      combining it with static parameters to build a SQL query. The following
      examples are based on true stories, unfortunately.
     </simpara>
-    <para>
-     Owing to the lack of input validation and connecting to the database on
-     behalf of a superuser or the one who can create users, the attacker
-     may create a superuser in your database.
-     <example>
-      <title>
-       Splitting the result set into pages ... and making superusers
-       (PostgreSQL and MySQL)
-      </title>
-      <programlisting role="php">
-<![CDATA[
-<?php
-
-$offset = $argv[0]; // beware, no input validation!
-$query  = "SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET 
$offset;";
-// with PostgreSQL 
-$result = pg_query($conn, $query);
-// with MySQL
-$result = mysql_query($query);
-
-?>
-]]>
-      </programlisting>
-     </example>
-      Normal users click on the 'next', 'prev' links where the 
<varname>$offset</varname>
-      is encoded into the URL. The script expects that the incoming
-      <varname>$offset</varname> is a decimal number. However, what if someone 
tries to
-      break in by appending a <function>urlencode</function>'d form of the
-      following to the URL
-      <informalexample>
-       <programlisting role="sql">
-<![CDATA[
-// in case of PostgreSQL
-0;
-insert into pg_shadow(usename,usesysid,usesuper,usecatupd,passwd)
-    select 'crack', usesysid, 't','t','crack'
-    from pg_shadow where usename='postgres';
---
-
-// in case of MySQL
-0;
-UPDATE user SET Password=PASSWORD('crack') WHERE user='root';
-FLUSH PRIVILEGES;
-]]>
-       </programlisting>
-      </informalexample>
-      If it happened, then the script would present a superuser access to him.
-      Note that <literal>0;</literal> is to supply a valid offset to the
-      original query and to terminate it.
-    </para>
     <note>
      <para>
       It is common technique to force the SQL parser to ignore the rest of the