Operating system: Irrelevant
PHP version: Irrelevant
PHP Bug Type: Documentation problem
Bug description: mysql_real_escape_string is no protection for numeric fields
Description:
------------
mysql_real_escape_string documentation gives the false impression that its
use alone will prevent mysql attacks and unauthorized access to the
database in all circumstances.
For numeric columns, mysql_real_escape_string is not enough.
example:
$user=mysql_real_escape_string($_GET['user']);
$pass=mysql_real_escape_string($_GET['pass']);
$id=mysql_real_escape_string($_GET['id']);
$query="SELECT x FROM t WHERE user='$user' AND pass='$pass' id=$id";
mysql_query("query);
is susceptible to the attack
http:example.com/index.php?id=1 OR 1=1
because mysql_real_escape_string does not escape whitespace.
The check is_numeric($id) is a solution to the above, putting the number
between quotes in the query also is, and using sprintf is another solution,
but the documentation does not suggest any of those should be used. There
should be at least a pointer to:
http://php.net/manual/en/security.database.sql-injection.php
so that we newbies know this is not a trivial issue.
--
Edit bug report at http://bugs.php.net/?id=46011&edit=1
--
Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=46011&r=trysnapshot52
Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=46011&r=trysnapshot53
Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=46011&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=46011&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=46011&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=46011&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=46011&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=46011&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=46011&r=support
Expected behavior: http://bugs.php.net/fix.php?id=46011&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=46011&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=46011&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=46011&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=46011&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=46011&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=46011&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=46011&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=46011&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=46011&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=46011&r=mysqlcfg
--
PHP Documentation Bugs Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
No comments:
Post a Comment