Let's say I have a $_GET variable with the name "id". The $_GET variable is then used in a mysql query to retrieve some data like SELECT text FROM database WHERE id=$_GET['id'];
Would null byte injection in my $_GET variable affect me assuming I'm using common security functions like mysql_real_escape_string(), addslashes(), and strip_tags()?
Answer
Would null byte injection in my $_GET variable affect me assuming I'm using common security functions like mysql_real_escape_string(), addslashes(), and strip_tags()?
Probably not, but a much more simple injection would affect you. Try passing this as the GET parameter:
99999 OR id=0
and run it through the query you show above. It will allow injection of arbitrary SQL even when using mysql_real_escape_string.
Contrary to popular belief, mysql_real_escape_string() will not protect you if your value is not enclosed in quotes.
If querying for numeric values, either test whether it's a number before inserting the value into the string, or put the value into quotes:
$id = mysql_real_escape_string($_GET["id"]);
$query = "SELECT text FROM database WHERE id='$id'";
addslashes and strip_tags have no value at all in this context. They only serve to break data, but they add no security when inserting stuff in a database. Just get rid of them. (strip_tags may be appropriate later when you output something on a HTML page.)
No comments:
Post a Comment