First, I'm not trying to hack or do anything illegal. Thought I let you guys know. I have a client that want's me to do some modifications on his system, when I was looking at it I notice that NOTHING was escaped. I'm not joking, nothing is being escaped. I explained to him that it's insecure to have a system like that. He then proceeds to tell me that he's had his system like this for few years and nothing has happened. I need to show him that his system is not safe, but I really don't know to do perform an sql injection. Here's a few queries that use $_GET and are not escaped.
SELECT *,DATE_FORMAT(joined,'%M %d, %Y') as \"Joined\" FROM `members` WHERE `name` LIKE '".$ltr."%' ORDER BY points DESC LIMIT $page,50
Here's another one:
SELECT * FROM groups WHERE id=$thisladder[grid]
The only thing that I see that "might" clean the $_GET is this function:
if (!ini_get('register_globals')) {
$superglobals = array($_SERVER, $_ENV,
$_FILES, $_COOKIE, $_POST, $_GET);
if (isset($_SESSION)) {
array_unshift($superglobals, $_SESSION);
}
foreach ($superglobals as $superglobal) {
extract($superglobal, EXTR_SKIP);
}
}
It's possible that the function above may be sanitizing the variables. And yes, the system also uses register globals, which is also bad.
I also made a backup, just in case.
No comments:
Post a Comment