Re: SQL injection

On 03.11.2005 16:15, Alex Turner wrote:
> Please, enlighten us all and demostrate a case of SQL Injection that
> gets around magic quotes.

Just someone needs to forget to put quotes around a param..

$q = "DELETE FROM foo WHERE bar = {$_GET['id']};";

instead of

$q = "DELETE FROM foo WHERE bar = '{$_GET['id']}';";

It deadly, with or without magic_quotes. pg_query_params() prevents such
situations. Besides some encoding tricks to encode single quotes
(%2527).. mb_string, mod_rewrite there are many things that /can/
prevent MQ from working as expected, search google. And even if MQ does
what it should, errors like the above are very common. Oh, and why MQ is
evil, really not all data passed to a PHP script is meant to be used as
query params, and if so, create a recursive version of array_map() and
use that with pg_escape_string as callback.


--
Regards,
Hannes Dorbath