Wim works on a web app with a problem. Specifically, the error log is the fastest growing file on the system. Well, perhaps that’s not the problem, but actually a symptom. Like so many applications, it’s a PHP web app with a MySQL backend, and the previous developer made… choices.
$sqlisgt = "insert into ser_gen_tj values (4, '$type_juridiction', '$enr[23]', 'O')";
There’s your SQL injection vulnerability. Just dump variable values directly into SQL statements, what could go wrong?
Well, one problem is that sometimes this application needed to handle names. Names, especially in French, frequently contain '. So this wouldn’t work:
$sql = "INSERT INTO personne VALUES ('$matricule','$nom','$prenom','$tel',Null);";
A single quote in $nom would break the query, it’d become syntactically invalid. And that’s why the log file was the fastest growing set of data in the system. But the developer responsible “fixed” this, don’t you worry.
$sql = "INSERT INTO personne VALUES ('$matricule',"$nom","$prenom",'$tel',Null);";
Thank goodness no one has a " in their name, I suppose. Still, Little Bobby Tables is going to have a field day with this application. Or should I say, Petit Robert D’Tables.
Remy Porter
Source link
