Re: Re: sql injection protection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



You don't need to store it in the database as b64, just undo the
encoding into your inputs

for the purpose of the explanation, this is language independent

b64e - encoding function
b64d - decoding function


pseudo code

given:
bad_num = ') union select * from foo --'
bad_str = ""
good_num = 123456
good_str = "some searchable text"

the b64 way:
bad_num=b64e(bad_num)
...
good_str=b64e(good_str)


inserts:
query("insert into foo (num, str) values (b64d(\""+bad_num+"\"),
b64d(\""+bad_str+"\"))");
query("insert into foo (num, str) values (b64d(\""+good_num+"\"),
b64d(\""+good_str+"\"))");

Can you see that this will safely insert clear text into the database?
This is because when you convert anything from b64, it will return
from the function as a string and will not be executed as code...


Now let's try a search:
bad_num= '1 or 2 not like 5'
bad_str = "' or \"40oz\" like \"40oz\""

again we:
bad_num=b64e(bad_num)
bad_str=b64e(bad_str)

then we can do a full text search:
query("select * from foo where match(str) against(b64d(\""+bad_str+"\"))")
or even a number search
query("select * from foo where num=b64d(\""+bad_num+"\")")

again this is possible because no matter what you put in bad num, it
will never be able to make post b64e bad_num look like code, just
looks like junk, until b64d converts it to a string (which by
definition can not be executed)

make sense now?


by check i mean, run utf8_decode for example...


Problem is, that i can tell you how to write the most secure code, but
if it's hard, or worse yet creates more problems than it solves
(seemingly), nobody other than a few individuals with some passion for
security will ever find the code useful. We need to fix this on the
language level, then we can go around and tell programmers how to do
it right. I mean imagine telling a programmer, that something that
takes them 2 lines of code now, can be done much more securely in 5-7,
and it creates code that doesn't read linearly... Most programmers
will just ignore you. I want to say, "hey programmer, what you do in 2
lines of code, you can do in 1 and make it impossible to inject into",
then, then people will listen, maybe... This is where inline string
interpolation syntax comes in, but it is not implemented in any
programming languages, sadly actually. This is what i want to talk to
Rasmus about.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux