Report message:*
 

Re: Proposal to secure $xoopsDB->query method

Subject: Re: Proposal to secure $xoopsDB->query method
by skenow on 2008/4/5 18:04:08

db->query takes 3 parameters - a string that will be parsed as an SQL statement, a limit for the number of results to return and a starting point.

By the time the query method is called, all validation should have already happened, but we can't count on this, I understand that. But, arbitrarily forbidding delete, insert, update, drop, union, alter, or any other mysql reserved word or function would keep this post from being added here. In other injection attacks, the words 'and' and 'or' are also used to corrupt the query.

At this point, we also don't know much about the context of the query - what parameters were from user input and which were from the developer? What datatype should they be? What length should the parameters be? I've been going through all the possible ways to be sure the query string is valid using regex, stored procedures, prepare statements, but I keep coming up with exceptions to the rules, unless you know the context.

What we might be able to determine is if the string has been properly escaped, quoted and encoded. Maybe we look at it from this angle.