Обсуждение: disable multiple queries

Поиск
Список
Период
Сортировка

disable multiple queries

От
"Poul L. Christiansen"
Дата:
Hi

I'm developing an Cold Fusion (similar to PHP) application and I have a
security problem. When I load a page "test.cfm?articleid=5" someone can
alter the URL to
"test.cfm?articleid=5;create%20table%20plc%20(plc%20int2)" if the hacker
wanted to create a table.
The sql passed to PostgreSQL is: "select * from article where articleid
= #Url.ArticleId#"
Which means that anybody can pass the sql that they like to PostgreSQL
by using ";" to separate the queries. This is not good.

I could off course verify the input and reject it if it wasn't a number,
but I have almost 2000 different queries with all sorts of input (yes,
it's a big app.).

Can't I somehow disable multiple queries pr. SQL string so that ;
doesn't work?

I don't know if this affects PHP apps.

I'm using PostgeSQL 7.0.0 installed on Redhat 6.1 with RPM and the ODBC
driver from Insight Distribution Systems 6.40.00.08 on windows NT 4.0.

Thanks,
Poul L. Christiansen

Re: disable multiple queries

От
brianb-pggeneral@edsamail.com
Дата:
Poul L. Christiansen writes:

> I could off course verify the input and reject it if it wasn't a number,
> but I have almost 2000 different queries with all sorts of input (yes,
> it's a big app.).
>
> Can't I somehow disable multiple queries pr. SQL string so that ;
> doesn't work?
>
> I don't know if this affects PHP apps.

It's not Coldfusion specific. It affects all web applications, regardless
of development platform that blindly plug form data into SQL queries
without checking it.

Brian
--
Brian Baquiran <brianb@edsamail.com>
http://www.baquiran.com/  AIM: bbaquiran
Work: +63(2)7182222       Home: +63(2) 9227123

I'm smarter than average. Therefore, average, to me, seems kind of stupid.
People weren't purposely being stupid. It just came naturally.
                              -- Bruce "Tog" Toganazzini

Re: disable multiple queries

От
Tom Lane
Дата:
"Poul L. Christiansen" <plc@faroenet.fo> writes:
> I'm developing an Cold Fusion (similar to PHP) application and I have a
> security problem. When I load a page "test.cfm?articleid=5" someone can
> alter the URL to
> "test.cfm?articleid=5;create%20table%20plc%20(plc%20int2)" if the hacker
> wanted to create a table.
> The sql passed to PostgreSQL is: "select * from article where articleid
> = #Url.ArticleId#"
> Which means that anybody can pass the sql that they like to PostgreSQL
> by using ";" to separate the queries. This is not good.

> I could off course verify the input and reject it if it wasn't a number,
> but I have almost 2000 different queries with all sorts of input (yes,
> it's a big app.).

> Can't I somehow disable multiple queries pr. SQL string so that ;
> doesn't work?

No, and if you could it'd still be a pretty incomplete solution.
Consider for example
    select * from article where articleid = 123
        UNION select-everything-from-some-other-table.
Not to mention possible risks from invoking functions, changing SELECT
to SELECT FOR UPDATE to cause denial-of-service problems, etc.

I'd suggest validating your input if you are worried about attacks
of this nature.  It's the only real defense.

            regards, tom lane