[Phpwm] site critique please

[David Goodwin]

> Hi David,
> 
> How?
> All that's making it do is throw a MySQL error and immediately exit;
> 
> $result1 = mysql_query("SELECT * FROM page_content WHERE id = '$ident';");
> if(!$result1){echo("<p>Error performing query: " . mysql_error() . "</p>");
> exit();}
> 
> There's a couple of variables that come from the siteconfig, but these would
> overwrite anything injected due to when they are read in.

Hi,

Right, I'm no elite security expert, however as far as I understand it 
is a big no no no never ever ever include variables from any user 
supplied input directly into an SQL statement.

For instance (and not being able to read your code, I may be wrong) you 
could be something like :


$ident = $_GET['ident'];
$result1 = mysql_query("SELECT * FROM page_content WHERE id = '$ident';");
// etc.

In this case, anything I put into ident= on the URL will be passed to 
MySQL. I could therefore do something like :

http://foo.bar/whatever.php?ident=12';DROP DATABASE;'

That would then get executed as 'DROP DATABASE' within MySQL... hence 
it's a problem.

You MUST either :

1) Use prepared statements (either via PEAR::DB, PEAR::MDB2 or mysqli)
or
2) Run mysql_escape_string() ON ALL user supplied input.
or
3) Use a higher level framework (e.g. Propel) that does 
escaping/sanitisation for you.


There are far more (and better) Examples of SQL injection; as a start 
try reading this article from LWN :

http://lwn.net/Articles/177037/


Thanks
David.

-- 
David Goodwin

[ david at codepoets dot co dot uk ]
[ http://www.codepoets.co.uk       ]