Thread: Limit on number of queries from CGI or PHP (security)
Hi, Is there any way I can restrict number of queries to only one? Here's the problem: If PHP script gets some data as input from user, and PHP scripts tries to put this data into Postgresql, what's keeping the user to modify the data in way to have postgresql execute two queries. So instead of some PHP script generating query like "select * from table where text='some text' or id=1", some malicious user could make it generate "select * from table where text='some text' or id=1;delete from table" Thanks, Rikul __________________________________________________ Do You Yahoo!? Yahoo! Messenger - Talk while you surf! It's FREE. http://im.yahoo.com/
* Rikul Patel <rikul7@yahoo.com> [001017 01:07] wrote: > Hi, > > Is there any way I can restrict number of queries to > only one? Here's the problem: > > If PHP script gets some data as input from user, and > PHP scripts tries to put this data into Postgresql, > what's keeping the user to modify the data in way to > have postgresql execute two queries. > > So instead of some PHP script generating query like > "select * from table where text='some text' or id=1", > some malicious user could make it generate "select * > from table where text='some text' or id=1;delete from > table" see php's addslashes() function. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk."
> So instead of some PHP script generating query like > "select * from table where text='some text' or id=1", > some malicious user could make it generate "select * > from table where text='some text' or id=1;delete from > table" You're approaching this from wrong direction. Neither client part, nor interface should be prohibited to run multiple queries in a single call. As to your example, first of all, you can't disclose your tables and let anyone to enter raw SQL statements and sleep tight. UI must be only allowed to take parameters, and build the queries on its own, or pass the params for further processing to another level. Again, if `some malicious user could make [some PHP script]' generate a dangerous query, the problem is with the script. Read the params, wipe out all control octets, including URLencoded ones, escape all potentially dangerous chars, like ' " and ; Enclose query params for non-numeric fields in ' restrict params' content to known good values whereever possible. All the job must be done by UI or underlying level. DB i/f must receive perfectly valid queries. On the other hand, DB interface can _never_ rely upon the fact that it will always receive valid params. Additional checks must be performed, because bypassing restrictions applied on visitor's side is as easy as telnetting to port 80. Bypassing CGI restrictions is not as easy, but still very possible. Last not least. This is not a recipe, let alone a panacea. Always watch your back and never trust the trust. G'luck Ed -- Well I tried to be meek And I have tried to be mild But I spat like a woman And I sulked like a child I have lived behind the walls That have made me alone Striven for peace Which I never have known Dire Straits, Brothers In Arms, The Man's Too Strong (Knopfler)
At 1:00 AM -0700 10/17/00, Rikul Patel wrote: >Hi, > >Is there any way I can restrict number of queries to >only one? Here's the problem: > >If PHP script gets some data as input from user, and >PHP scripts tries to put this data into Postgresql, >what's keeping the user to modify the data in way to >have postgresql execute two queries. > >So instead of some PHP script generating query like >"select * from table where text='some text' or id=1", >some malicious user could make it generate "select * >from table where text='some text' or id=1;delete from >table" I don't know if this is possible - but what I do is generally give the user as little control of the generation of the query as possible. I generally generate sql statements in a way that make it difficult (I think) to construct a malicious query. You also could parse the generated sql before executing it, watching out for such words as 'delete' or 'update' if that is never going to be the intention of the query in that instance. Michelle -- --------------------------- Michelle Murrain, President Norwottuck Technology Resources mpm@norwottuck.com
For the most part, everyone's answers are accurate. The interface and database you design needs to be tighter to prevent that. One topic that no one mentioned is database security. For the user that the php script runs under, start by restricting it acces to what it doesn't need. If they are only allowed querying information, don't let them update, delete, etc. Second, check the query string for suspicious characters. ie more semi colons than needed. When letting people enter actual SQL queries, you have to treat it like they are sitting at the server's console. The best option is to have a form that they fill in and the script constructs the query on its own... (as well as the user security enabled). Adam Lang Systems Engineer Rutgers Casualty Insurance Company ----- Original Message ----- From: "Rikul Patel" <rikul7@yahoo.com> To: <pgsql-general@postgresql.org> Sent: Tuesday, October 17, 2000 4:00 AM Subject: [GENERAL] Limit on number of queries from CGI or PHP (security) > Hi, > > Is there any way I can restrict number of queries to > only one? Here's the problem: > > If PHP script gets some data as input from user, and > PHP scripts tries to put this data into Postgresql, > what's keeping the user to modify the data in way to > have postgresql execute two queries. > > So instead of some PHP script generating query like > "select * from table where text='some text' or id=1", > some malicious user could make it generate "select * > from table where text='some text' or id=1;delete from > table" > > Thanks, > Rikul > > __________________________________________________ > Do You Yahoo!? > Yahoo! Messenger - Talk while you surf! It's FREE. > http://im.yahoo.com/
I noticed a lot of people gave some good advice, but one thing they forgot
to mention is the AddSlashes command of php. It basically does all the
necessary special-character escaping for you, so the worst thing someone
can do by enterring bad data in your forms is bring up a page with bad
results. It works like this:
$pgResults=pgExec($dbCon, "SELECT field1, field2 FROM table WHERE field1 =
'" . AddSlashes($FormVar) . "'");
It's also a VERY good idea to do some basic sanity checking on all your
form data before even starting to build a query string. Ie, if you are
expecting $PageNumber to be an integer, then do a
if (!ereg("[![:digit:]]", $PageNumber)) { print "Bad form data!"; exit; }
At the top of your script. It's annoying to have to validate ALL your
variables (especially when you get into forms that have 15-20 fields) but
it's necessary if you don't want some script kiddy to come along and screw
up your site.
At 05:00 AM 10/17/00, Rikul Patel wrote:
>Hi,
>
>Is there any way I can restrict number of queries to
>only one? Here's the problem:
>
>If PHP script gets some data as input from user, and
>PHP scripts tries to put this data into Postgresql,
>what's keeping the user to modify the data in way to
>have postgresql execute two queries.
>
>So instead of some PHP script generating query like
>"select * from table where text='some text' or id=1",
>some malicious user could make it generate "select *
>from table where text='some text' or id=1;delete from
>table"
>
>Thanks,
>Rikul
>
>__________________________________________________
>Do You Yahoo!?
>Yahoo! Messenger - Talk while you surf! It's FREE.
>http://im.yahoo.com/