php - Is this function vulnerable to SQL injection? -

-

i built function check if table exists on database using pdo, i'm not sure if i've secured properly.

public function tableexists($table){     try{         $this->query('select 1 `'.str_replace('`', '', $table).'` limit 1');     }catch(\pdoexception $e){         if($e->errorinfo[1] == 1146){             return false;         }         throw $e;     }     return true; }

is possible attacker compromise query if $table provided directly user input? (extreme case)

no, code not vulnerable sql injection attack

however, perhaps more fluke else.

to handle user-provided values correctly, 1 wish escape characters have special meaning (rather remove them). documented under schema object names:

identifier quote characters can included within identifier if quote identifier. if character included within identifier same used quote identifier itself, need double character. following statement creates table named a`b contains column named c"d:

mysql> create table `a``b` (`c"d` int);

so how can permit any table name, including contain backtick characters?

permissive escaping—attempt 1

you might tempted modify function use following:

$this->query('select 1 `'.str_replace('`', '``', $table).'` limit 1');

don't! above code is vulnerable (in obscure edge cases).

str_replace() naive, byte-wise function (it not character-set aware, , therefore not safe use string encodings have multi-byte characters).

if database connection uses multibyte character set, such gbk, malicious table name not escaped properly:

// malicious user-provided value $_post['tablename'] = "\x8c`; drop table users; -- ";  // call function value tableexists($_post['tablename']);

the above result in query() being called following string argument:

select 1 `宍`; drop table users; -- ` limit 1

this because when str_replace() goes through inputted string byte-by-byte—naively replacing occurrence of '`' character, i.e. byte 0x60—it without understanding mysql consider string encoded using gbk, in 0x8c60 single character '宍'; , therefore turns such characters 0x8c6060 represent '宍`'. str_replace() has introduced terminating backtick character not there before!

permissive escaping—attempt 2

the problem can fixed using character-set aware replacement function. php doesn't have 1 default, although optional extensions multibyte string commonplace in typical hosting environments.

if following approach, must ensure perform replacement using the character encoding of database connection.

permissive escaping—attempt 3

as of mysql v5.7.6, can use mysql_real_escape_string_quote() escape sql identifiers using database connection's character set. sadly however, pdo api not (yet?) provide interface c function…

what whitelisting?

whitelisting considered more secure , reliable escaping. (unless 1 knows in advance not contain special characters), one must still escape whitelisted values—so doesn't progress general cases, although limit damage can done should escaping prove erroneous.

so what's conclusion?

it's quite difficult use arbitrary, user-provided, sql identifiers in safe way.

fortunately, however, it's not common requirement. general rule, one's schema should both static (absent changes one's codebase necessitate schema modification) and compliant principle of orthogonal design: if both of conditions fulfilled, sql identifiers part of one's static code , there not need use user input in place.


Comments

Post a Comment

Popular posts from this blog

google chrome - Developer tools - How to inspect the elements which are added momentarily (by JQuery)? -

-
i looking @ how website designed using inspector in chrome. can use firefox developer tools or firefox web developer add-on or chrome web developer extension. so website has slide-show , using jquery it. looking @ markup , css in inspector, i see 2 things constantly changing slides change: one opacity css property understandable, i'd see changing values, changes fast see read anything. second- a div added in div slides change momentarily , moment when appears short notice except div . so question is there way stop slideshow can temporarily rid of blinking sort of effect (by speedy adding , removal , changing of elements , values)? where can inspect div element gets added such short moment , , gets removed? , can see changes in value of opacity takes place? is there way stop slideshow can temporarily rid of blinking sort of effect (by speedy adding , removal , changing of elements , values)? if opacity animated css transition or animation,
Read more

angularjs - Showing an empty as first option in select tag -

-
my app showing empty select field first entry. have read other solution given , tried still not working. my controller code is: .controller('usercreatecontroller', function(user,profile,auth) { alert("hello"); var vm = this; vm.type = 'create'; profile.all() //this service fetch profiles shown in select field .success(function(data){ vm.profile = data; }); vm.userdata.profile = vm.profile[0]; //here have set default value select field and html page is: <label class="col-sm-2 control-label">profile</label> <div class="col-sm-8"> <select ng-model="user.userdata.profile" ng-options="person._id person.profilename person in user.profile"> </select> </div> hierarchy of vm.profile { "_id": 46, "profile": objectid("5516498e95b84548156db754"), "isactive": true, "password": "$2
Read more

php - Cloud9 cloud IDE and CakePHP -

-
i attempting cakephp running on cloud9, cloud based ide. unaware, cloud collaboration ide intermixes services such bitbucket. site gives sudo rights, , installed cakephp using these instructions: https://www.digitalocean.com/community/tutorials/how-to-install-cakephp-on-an-ubuntu-12-04-vps when attempt run database exported machine cakephp installed, error message "url rewriting not configured on server." attempted solve issue using official guide cakephp: http://book.cakephp.org/2.0/en/installation/url-rewriting.html but no cigar, same error message. has gotten cakephp working, or aware of cloud ide free/low cost cloud9 support cakephp? here's how got working now: sudo apt-get update sudo apt-get install php5-intl curl -ss https://getcomposer.org/installer | php -- --filename=composer ./composer create-project --prefer-dist cakephp/app this creates project in /app default. move workspace docroot: mv app/* ./ mv app/.* ./ rm -rf app then de
Read more