Good evening list:
Some time ago, one of the sites I was working for suffered a DDoS attack which involved binded parameters and MySQL.
The code to reproduce can be as simple as:
$stmt = $mysqli->prepare("SELECT * FROM t1 WHERE id = ?");
$stmt->bind_param('s', 'SLEEP(1)');
Logically (according to my logic which isn't always the right logic), the final query should be:
SELECT * FROM t1 WHERE id = 'SLEEP(1)'
However, in some part of the database layer, the query gets rewritten to this instead:
SELECT * FROM t1 WHERE id = SLEEP(1)
Which results in the query taking a pause of one second for the size of the result set or cardinality of the index, so LIMITing doesn't matter.
So... my questions are:
1- Why? Binded params are supposed to translate user input into save database statements. I know that isn't a guarantee that it will stop 100% of all evilness out there, but to me, this is and should be considered as a string, not a proper function.
2- Where does this happen? I have tested RedBean PHP (which uses PDO) and the mysqli connector, it is reproducible on both, so is this MySQL's behavior?
3- Do you know of any other sensitive function that can produce a security breach/performance degrade? I'm talking about maybe USLEEP() or some intense PI calculation (something in the line as SELECT PI(123123123123); where 123123123123 is the number of PI digits we want to have).
Greetings.
Met vriendelijke groet,
Camilo Sperberg
----------------
W: http://unreal4u.com
T: http://twitter.com/unreal4u
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
