MySQL injection in the LIMIT clause

Discuss the many weaknesses of browser security and ways to mitigate the threat

MySQL injection in the LIMIT clause

Post by scraze on Sun May 03, 2009 2:04 pm
([msg=23088]see MySQL injection in the LIMIT clause[/msg])

Hi fellow HTS'ers!

The other day it occurred to me that if you have an SQL statement like this:

Code: Select all
SELECT * from some_table ORDER BY 1 LIMIT $var,10


that essentially you won't have to protect the $var input, at all.. I tried some different things on my server: a UNION won't work because there's already an ORDER clause, and .. well.. there's really nothing else you could do.

Do you agree :D?
scraze
New User
New User
 
Posts: 20
Joined: Sun Apr 05, 2009 3:30 am
Blog: View Blog (0)


Re: MySQL injection in the LIMIT clause

Post by thedotmaster on Tue Jul 21, 2009 11:02 am
([msg=27137]see Re: MySQL injection in the LIMIT clause[/msg])

It is good practice to cleanse all input you are given. It only takes one mistake with a "I won't need to cleanse the input here" and you've got yourself a nice gaping hole.
Image
User avatar
thedotmaster
Contributor
Contributor
 
Posts: 984
Joined: Sun May 04, 2008 4:39 pm
Location: North West UK
Blog: View Blog (1)


Re: MySQL injection in the LIMIT clause

Post by hngrfghtr on Fri Aug 07, 2009 3:06 pm
([msg=27979]see Re: MySQL injection in the LIMIT clause[/msg])

SELECT * from some_table ORDER BY 1 LIMIT $var,10

What if $var is "10; DROP TABLE some_table; --" ? The complete statement would look like
SELECT * from some_table ORDER BY 1 LIMIT 10; DROP TABLE some_table; --,10

Depending on the privilege config and whether stack queries are allowed, some_table might be gone.

The bottom line is we don't want to guess what $var could be. We know what is should be. So make sure it is a positive integer before passing it to SQL.
hngrfghtr
New User
New User
 
Posts: 4
Joined: Wed Aug 05, 2009 3:23 pm
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests