Re: update phenomenom

On Saturday 07 June 2003 20:18, Henrik Steffen wrote:
> Hi Ian,
>
> well, I by now believe that it has got to be a human error
> (hum, well actually MY error)
>
> However, I would like to reproduce the error, so I can
> understand what I can do against it.
>
> So, even if it's slightly off topic for pgsql-general, maybe
> someone knows , how it was possible to trick out the
> DBD::Pg using
>
> $sth=$db->prepare($command);
> $sth->execute();
>
> I did not succeed in passing two statements to the
> prepare-command. Neither using "commit;" nor using
> "--" as a seperator.

"--" is a comment not a seperator

> But from the result I got, there must have been
> a way to do it.
>
> Any hints?

Given the interpolated string used to create your SQL statement:

UPDATE $table SET $daten WHERE kundennummer='$kundennummer';

I could imagine the following scenarios (not tested) causing the update to
succeed silently:

a)
$table = "table";
$daten = "miano='071002'; SELECT 1 FROM table ";
$kundennummer = "071002883";

b)
$table = "table";
$daten = "miano='071002'";
$kundennummer = "071002883' OR 1='1";

Whether that is what actually happened is another question;
there may be other possibilities, possibily also depending on
how the parameters get from the web interface into the
SQL statement.

If you used place holders / bind variables (recommended practice)
this kind of thing should not happen; doing just this for example:

$command = qq/UPDATE $table SET $daten WHERE kundennummer=?/;
$sth=$db->prepare($command);
$sth->execute($kundennummer);

should prevent the second example from executing.

Motto: never trust user input, even if it is your own ;-)

Ian Barwick
barwick(at)gmx(dot)net