Conclusion

To conclude this chapter, I'd like to reiterate that you shouldn't forget about the SQL injection vulnerability. It is dangerous regardless of which database, Oracle or MySQL 3.x, is used.

This vulnerability gives the attacker information about the internal structure of the server, which is quite important. In some cases, the attacker can obtain the full control over the server.

In my opinion, mistakes that create SQL injection are the most frequent in Web applications, although programmers would avoid them if they stuck to a few simple rules.

Rule 

If an SQL query uses numeric data received from a user , you should check whether they are actually numeric and cast them to this type if necessary.

Example

 $a=(float)$_GET['a']; $b=$_GET['b']; if((string)(int)$b <> $b) die('invalid data'); $cpnysql_query("select  from t1 where a=$a or b=$b"); 
Rule 

When you use string variables and variables of the date type or of enumeration types, you should prevent the user from overrunning the variable. In other words, you should screen apostrophes and quotation marks. In PHP, you can use the addslashes() function. In addition, you should screen the null character, for example, using the mysql_escape_string() function.

Example

 $a=addlsashes($_GET['a']); $cpnysql_query("select from t1 where a='$a"'); 
Rule 

If the value of a received parameter is used in a regular expression or a construction such as LIKE , it won't be enough to screen apostrophes and quotation marks. You should be aware that a user can embed certain characters used in regular expressions, or the percentage sign and underscore character used in the LIKE construction. You should delete dangerous characters before generating a query, screen them, or document their use.

Note 

The mysql_escape_string() function doesn't screen the percentage sign or the underscore character.

Example

 $a  =  mysql_escape_string($_GET['a']); $a=str_replace('%', '\%', $a); $a=str_replace('_', '\_', $a); $rl=''; if(preg_match("/^(\d\d\d\d)-(\d\d)-(\d\d)$/",   $_GET['d'], $r))    $rl="{$r[l]}-{$r[2]}-{$r[3]}"; $q=mysql_query("select from t1 where a like   '%$a%'   and date1='$rl'"); 

In other words, stick to the following general rule already familiar to you:

Note 

When data received from a user are used in an SQL query, they should fall into a strictly defined set of values. The set should be thought of as taking into account the task and excluding other functionality.



Hacker Web Exploition Uncovered
Hacker Web Exploition Uncovered
ISBN: 1931769494
EAN: N/A
Year: 2005
Pages: 77

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net