vrana Sun Feb 13 16:50:05 2005 EDT
Modified files: /phpdoc/en/security database.xml Log: First SQL injection example is FUD (reported by Dr. Werner Popken) http://cvs.php.net/diff.php/phpdoc/en/security/database.xml?r1=1.9&r2=1.10&ty=u Index: phpdoc/en/security/database.xml diff -u phpdoc/en/security/database.xml:1.9 phpdoc/en/security/database.xml:1.10 --- phpdoc/en/security/database.xml:1.9 Mon Nov 8 07:10:21 2004 +++ phpdoc/en/security/database.xml Sun Feb 13 16:50:05 2005 @@ -1,5 +1,5 @@ <?xml version="1.0" encoding="iso-8859-1"?> -<!-- $Revision: 1.9 $ --> +<!-- $Revision: 1.10 $ --> <!-- splitted from ./index.xml, last change in rev 1.66 --> <chapter id="security.database"> <title>Database Security</title> @@ -158,56 +158,6 @@ combining it with static parameters to build a SQL query. The following examples are based on true stories, unfortunately. </simpara> - <para> - Owing to the lack of input validation and connecting to the database on - behalf of a superuser or the one who can create users, the attacker - may create a superuser in your database. - <example> - <title> - Splitting the result set into pages ... and making superusers - (PostgreSQL and MySQL) - </title> - <programlisting role="php"> -<![CDATA[ -<?php - -$offset = $argv[0]; // beware, no input validation! -$query = "SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;"; -// with PostgreSQL -$result = pg_query($conn, $query); -// with MySQL -$result = mysql_query($query); - -?> -]]> - </programlisting> - </example> - Normal users click on the 'next', 'prev' links where the <varname>$offset</varname> - is encoded into the URL. The script expects that the incoming - <varname>$offset</varname> is a decimal number. However, what if someone tries to - break in by appending a <function>urlencode</function>'d form of the - following to the URL - <informalexample> - <programlisting role="sql"> -<![CDATA[ -// in case of PostgreSQL -0; -insert into pg_shadow(usename,usesysid,usesuper,usecatupd,passwd) - select 'crack', usesysid, 't','t','crack' - from pg_shadow where usename='postgres'; --- - -// in case of MySQL -0; -UPDATE user SET Password=PASSWORD('crack') WHERE user='root'; -FLUSH PRIVILEGES; -]]> - </programlisting> - </informalexample> - If it happened, then the script would present a superuser access to him. - Note that <literal>0;</literal> is to supply a valid offset to the - original query and to terminate it. - </para> <note> <para> It is common technique to force the SQL parser to ignore the rest of the