Can I pass a wildcard to this function?

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Lars Eighner
    #1

    Can I pass a wildcard to this function?


    Is it possible, accidentally or on purpose, to pass a
    wildcard to this function that would have the effect
    of deleting many or all rows (shortname is a unique,
    non-null field)?

    function delete_row_by_s hortname($table ,$shortname){
    global $mysqlhost, $mysqlusr, $mysqlpw, $mysqldb;
    $link = mysql_connect($ mysqlhost, $mysqlusr, $mysqlpw);
    if (!$link) {
    die('Not connected : ' . mysql_error());
    }
    mysql_select_db ($mysqldb) or
    die ('Could not select database:' . "$mysqldb." );
    $query = "DELETE FROM $table WHERE shortname='$sho rtname'";
    mysql_query($qu ery) or die ("Query Failed! mysql_error()") ;
    $value = mysql_affected_ rows($link);
    mysql_close($li nk);
    return $value;
    }


    --
    Lars Eighner <http://larseighner.com/ <http://myspace.com/larseighner>
    Countdown: 586 days to go.
    Why "War Czar"? That sounds like Imperial Russia!
    Call it by the American term: "Fall Guy."
    Tags: None
    • arkascha
      #2
      Re: Can I pass a wildcard to this function?

      Hi, :-)

      Lars Eighner wrote:
      >
      Is it possible, accidentally or on purpose, to pass a
      wildcard to this function that would have the effect
      of deleting many or all rows (shortname is a unique,
      non-null field)?
      >
      function delete_row_by_s hortname($table ,$shortname){
      global $mysqlhost, $mysqlusr, $mysqlpw, $mysqldb;
      $link = mysql_connect($ mysqlhost, $mysqlusr, $mysqlpw);
      if (!$link) {
      die('Not connected : ' . mysql_error());
      }
      mysql_select_db ($mysqldb) or
      die ('Could not select database:' . "$mysqldb." );
      $query = "DELETE FROM $table WHERE shortname='$sho rtname'";
      mysql_query($qu ery) or die ("Query Failed! mysql_error()") ;
      $value = mysql_affected_ rows($link);
      mysql_close($li nk);
      return $value;
      }
      I'd say yes, it certainly is possible.
      First, you are safe inside the sql context if the column shortname realy is
      a non null unique index, since that means you can delete only a single row
      because only one single value can fulfill the condition "=".
      BUT:
      You do no escaping of the values in $table and $shortname. It depends on
      where the values come from. It _might_ offer a vulnerability
      to 'sql-injection':
      Imagine the variable $shortname is filled from a form where data can be
      entered and someone enters something like this:
      "bla1' OR shortname='bla2 ' OR shortname='bla3 "
      What results is this sql statement which is certainly _not_ the one you
      intended to fire:
      "DELETE FROM $table WHERE shortname='bla1 ' OR shortname='bla2 ' OR
      shortname='bla3 '"
      You should always escape such variable values, typically with the
      function 'mysql_real_esc ape_string()'. Doing so the fired statement will
      read:
      "DELETE FROM $table WHERE shortname='bla1 '' OR shortname=''bla 2'' OR
      shortname=''bla 3'".
      This will match a single entry or none (apart from the same aspect with
      $table...)

      Have fun,
      arkascha

        Comment

        • Jerry Stuckle
          #3
          Re: Can I pass a wildcard to this function?

          arkascha wrote:
          Hi, :-)
          >
          Lars Eighner wrote:
          >Is it possible, accidentally or on purpose, to pass a
          >wildcard to this function that would have the effect
          >of deleting many or all rows (shortname is a unique,
          >non-null field)?
          >>
          >function delete_row_by_s hortname($table ,$shortname){
          >global $mysqlhost, $mysqlusr, $mysqlpw, $mysqldb;
          > $link = mysql_connect($ mysqlhost, $mysqlusr, $mysqlpw);
          > if (!$link) {
          > die('Not connected : ' . mysql_error());
          > }
          > mysql_select_db ($mysqldb) or
          > die ('Could not select database:' . "$mysqldb." );
          > $query = "DELETE FROM $table WHERE shortname='$sho rtname'";
          > mysql_query($qu ery) or die ("Query Failed! mysql_error()") ;
          > $value = mysql_affected_ rows($link);
          > mysql_close($li nk);
          > return $value;
          >}
          >
          I'd say yes, it certainly is possible.
          First, you are safe inside the sql context if the column shortname realy is
          a non null unique index, since that means you can delete only a single row
          because only one single value can fulfill the condition "=".
          BUT:
          You do no escaping of the values in $table and $shortname. It depends on
          where the values come from. It _might_ offer a vulnerability
          to 'sql-injection':
          Imagine the variable $shortname is filled from a form where data can be
          entered and someone enters something like this:
          "bla1' OR shortname='bla2 ' OR shortname='bla3 "
          What results is this sql statement which is certainly _not_ the one you
          intended to fire:
          "DELETE FROM $table WHERE shortname='bla1 ' OR shortname='bla2 ' OR
          shortname='bla3 '"
          You should always escape such variable values, typically with the
          function 'mysql_real_esc ape_string()'. Doing so the fired statement will
          read:
          "DELETE FROM $table WHERE shortname='bla1 '' OR shortname=''bla 2'' OR
          shortname=''bla 3'".
          This will match a single entry or none (apart from the same aspect with
          $table...)
          >
          Have fun,
          arkascha
          Even worse:

          'bla1' OR 1=1

          --
          =============== ===
          Remove the "x" from my email address
          Jerry Stuckle
          JDS Computer Training Corp.
          jstucklex@attgl obal.net
          =============== ===

            Comment

            • Michael Fesser
              #4
              Re: Can I pass a wildcard to this function?

              ..oO(Lars Eighner)
              >Is it possible, accidentally or on purpose, to pass a
              >wildcard to this function that would have the effect
              >of deleting many or all rows (shortname is a unique,
              >non-null field)?
              >
              >[code snipped]
              Definitely. Have a look at PDO and prepared statements.

              Micha

                Comment

                Previous template Next
                Working...