Security/Development Question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi folks,

 

This isn't really a PHP question per se, but could apply to any
language...

 

I have a public facing web server, which we have a software component
that helps protect us from SQL Injection, and the like.

 

We recently have added a very small web application that is vendor
supported. They said it's not working, so I investigated. I found that
our software protection was blocking their pages because they are
actually passing entire SQL queries in their form POSTs. Now, the app is
SSL protected, and they claim the queries are not executed - only
inserted into the database to be used later. They also said it's
protected by the ASP.NET framework authentication....not sure about any
of that.

 

My concern is passing SQL queries in this way is not best practice - am
I wrong? Please let me know how you would react to this?

 

See below for the stuff they are passing in the POST (obvious things
like table names have been changed):

 

/wEWBQLciq6UBwLEhISFCwLa2223bD3wK3+56LBAKc37iSDEsHMFjpB6o1vHld19wT+Tt3sY
8E&CRITICAL_RESULT&on&Declare @critical varchar (40)

set @critical = (select top 1 code from table where id = 'clr7' and
thename = 'critical')

 

sELECT 

 OPR_SECD.REC USER_REC_NO,

 RESULT.*, 

 (SELECT RESULT_DESC FROM table WHERE code = RESULT.RES_MSTR_CODE)
[DESC], 

 [ORDER].*, 

 (SELECT VALUE FROM table WHERE this_CODE = 'Email' AND USER_REC =
OPR_SECD.RECNUM) MBMD_EMAIL, 

 OPR_SECD.OPR_INITIAL 

 FROM RESULTING LEFT JOIN [ORDER] ON RESULTING.ORDER_REC =
[ORDERBY].RECNUM 

 LEFT JOIN OPR_SECD ON [ORDER].DR_CODE = OPR_SECD.XREF_CODE 

 where (RESULT.FLAG_TEXT) = @critical  AND RESULT.REC = @ID&Save


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux