This is what we call a BUG.... Report it on http://bugs.php.net
thx > -----Original Message----- > From: * R&zE: [mailto:[EMAIL PROTECTED]] > Sent: Friday, February 08, 2002 1:44 PM > To: PHP General Mailinglist > Subject: [PHP] ODBC_EXECUTE has a DANGEROUS 'feature'!!! > > > Hi folks, > > I don't know if everyone ever knew this, but I haven't been able to > find anything about this, anywhere... > > odbc_execute has a very dangerous 'feature'. I would like to call it > a bug, because someone has implemented it on purpose I should call > it a feature... > > odbc_execute takes two arguments; the odbc result-ID, and > an array containing the parameters for this statement. So far so > good. Works perfectly. In the parameters you can put any data. Any > data! So you can enter characters like eg. &, *, %... you name it. > You can also enter single quotes ('). Nice. Noop... not nice. If you > put a single quote at the start of the parameter and at the end PHP > does something very scary... it reads the _file_(!) and stores it in > the database. So if you would have a parameter: > > 'myname' > > you would get an error telling you that the file "myname" couldn't > be opened. But... if you use this parameter: > > '/etc/passwd' > > No problem! The contents of your password file is stored in the > database. Any file readable for your webserver can be 'used' this > way. Any file! > > So, imagine you have some site containing a textarea input in the > form, some user can easily type: > > '/etc/passwd' > > and then submit the form. When you also have the possibility on this > site for the user to take a look at the data he entered (and this is > a very common feature), he gets to see the contents of your password > file. And he can do this with any file(!!!!). As long as it's > readable for the webserver, users can very easily get the contents > of the file! > > And... is it documented? NO!!!! Nowhere. Not the mailinglists, not > the documentation, not the bugreport, not even in the sources > itself. It's just there! > > Some security huh?! > > -- > > * R&zE: > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > The information contained in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, production, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. The content of the email is not legally binding unless confirmed by letter bearing two authorized signatures. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
