I just picked up this thread, so excuse me if I'm repeating or have totally missed the point. Another concern I picked up from a PHP security book is using '--' - which simply comments out the remainder of the line (with MySQL anyway). Therefore if your SQL is "SELECT * FROM table WHERE user = '$user' AND pass = '$pass'" a malicious visitor could enter a valid username followed by '-- which may allow them entry to that person's account by creating the following: SELECT * FROM table WHERE user = 'valid_user'--' AND pass = '$pass' Obviously restricting/validating form input entry would avoid this issue. HTH, Kevin -----Original Message----- From: tedd [mailto:tedd@xxxxxxxxxxxx] Sent: 17 March 2006 14:49 To: php-general@xxxxxxxxxxxxx; Rafael Subject: Re: Re: setcookie security concerns [medium] Rafael wrote: > A tipical example would be a login script that uses the data >as it arrives, for example: > $login = $_POST['login']; > $passw = $_POST['passw']; > $sql = "SELECT * FROM user\n" > ."WHERE( login = '$login' AND passw = '$passw' )"; > >In this case, what happens if I send something like > login: ' OR '1'='1' OR '0 > passw: doesnt care >? (I avoided the ' in the passw, just in case) >Well, we'll end up with an SQL similar to this > SELECT * FROM user > WHERE( login = '' OR '1'='1' OR '0' AND passw = 'doesnt care' ) >and because of the priority of the AND / OR, we would have 3 >separated conditions each enough to validate the user, as '1'='1' is >true, then we have a validated user. > At first, your description confused me, but now I understand. You simply want to keep a user out of your code. In other words, if you don't validate the input, then a user can alter your code by injecting additional code into your query to bypass your authorization protocol -- very clever. Thanks for the lesson. tedd -- ---------------------------------------------------------------------------- ---- http://sperling.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
