Обсуждение: disable multiple queries
Hi I'm developing an Cold Fusion (similar to PHP) application and I have a security problem. When I load a page "test.cfm?articleid=5" someone can alter the URL to "test.cfm?articleid=5;create%20table%20plc%20(plc%20int2)" if the hacker wanted to create a table. The sql passed to PostgreSQL is: "select * from article where articleid = #Url.ArticleId#" Which means that anybody can pass the sql that they like to PostgreSQL by using ";" to separate the queries. This is not good. I could off course verify the input and reject it if it wasn't a number, but I have almost 2000 different queries with all sorts of input (yes, it's a big app.). Can't I somehow disable multiple queries pr. SQL string so that ; doesn't work? I don't know if this affects PHP apps. I'm using PostgeSQL 7.0.0 installed on Redhat 6.1 with RPM and the ODBC driver from Insight Distribution Systems 6.40.00.08 on windows NT 4.0. Thanks, Poul L. Christiansen
Poul L. Christiansen writes: > I could off course verify the input and reject it if it wasn't a number, > but I have almost 2000 different queries with all sorts of input (yes, > it's a big app.). > > Can't I somehow disable multiple queries pr. SQL string so that ; > doesn't work? > > I don't know if this affects PHP apps. It's not Coldfusion specific. It affects all web applications, regardless of development platform that blindly plug form data into SQL queries without checking it. Brian -- Brian Baquiran <brianb@edsamail.com> http://www.baquiran.com/ AIM: bbaquiran Work: +63(2)7182222 Home: +63(2) 9227123 I'm smarter than average. Therefore, average, to me, seems kind of stupid. People weren't purposely being stupid. It just came naturally. -- Bruce "Tog" Toganazzini
"Poul L. Christiansen" <plc@faroenet.fo> writes: > I'm developing an Cold Fusion (similar to PHP) application and I have a > security problem. When I load a page "test.cfm?articleid=5" someone can > alter the URL to > "test.cfm?articleid=5;create%20table%20plc%20(plc%20int2)" if the hacker > wanted to create a table. > The sql passed to PostgreSQL is: "select * from article where articleid > = #Url.ArticleId#" > Which means that anybody can pass the sql that they like to PostgreSQL > by using ";" to separate the queries. This is not good. > I could off course verify the input and reject it if it wasn't a number, > but I have almost 2000 different queries with all sorts of input (yes, > it's a big app.). > Can't I somehow disable multiple queries pr. SQL string so that ; > doesn't work? No, and if you could it'd still be a pretty incomplete solution. Consider for example select * from article where articleid = 123 UNION select-everything-from-some-other-table. Not to mention possible risks from invoking functions, changing SELECT to SELECT FOR UPDATE to cause denial-of-service problems, etc. I'd suggest validating your input if you are worried about attacks of this nature. It's the only real defense. regards, tom lane