Re: [PHP] ODBC_EXECUTE has a DANGEROUS 'feature'!!!

Fri, 08 Feb 2002 12:20:07 -0800 

On Fri, 2002-02-08 at 04:43, * R&zE: wrote:
> Hi folks,
> 
> I don't know if everyone ever knew this, but I haven't been able to
> find anything about this, anywhere...
> 
> odbc_execute has a very dangerous 'feature'. I would like to call it
> a bug, because someone has implemented it on purpose I should call
> it a feature...
> 
> odbc_execute takes two arguments; the odbc result-ID, and
> an array containing the parameters for this statement. So far so
> good. Works perfectly. In the parameters you can put any data. Any
> data! So you can enter characters like eg. &, *, %... you name it.
> You can also enter single quotes ('). Nice. Noop... not nice. If you
> put a single quote at the start of the parameter and at the end PHP
> does something very scary... it reads the _file_(!) and stores it in
> the database. So if you would have a parameter:
> 
>       'myname'
> 
> you would get an error telling you that the file "myname" couldn't
> be opened. But... if you use this parameter:
> 
>       '/etc/passwd'
> 
> No problem! The contents of your password file is stored in the
> database. Any file readable for your webserver can be 'used' this
> way. Any file!
> 
> So, imagine you have some site containing a textarea input in the
> form, some user can easily type:
> 
>       '/etc/passwd'
> 
> and then submit the form. When you also have the possibility on this
> site for the user to take a look at the data he entered (and this is
> a very common feature), he gets to see the contents of your password
> file. And he can do this with any file(!!!!). As long as it's
> readable for the webserver, users can very easily get the contents
> of the file!

*Always* validate your data. If you validate your data and never trust
anything which comes from the client side of the connection, your
problem goes away. I mean, you wouldn't pass user data to exec() 
or fopen() without some serious checking, would you? ;)

Sure, PHP could try to prevent every possible problem from cropping up,
but that would make the language pretty useless. It's up to the coder
to not program security flaws. 


-- 
 Torben Wilson <[EMAIL PROTECTED]>
 http://www.thebuttlesschaps.com
 http://www.hybrid17.com
 http://www.inflatableeye.com
 +1.604.709.0506


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to