MySQL injection in the LIMIT clause

[scraze]

Hi fellow HTS'ers!

The other day it occurred to me that if you have an SQL statement like this:

Code: Select all

SELECT * from some_table ORDER BY 1 LIMIT $var,10


that essentially you won't have to protect the $var input, at all.. I tried some different things on my server: a UNION won't work because there's already an ORDER clause, and .. well.. there's really nothing else you could do.

Do you agree ?

[thedotmaster]

It is good practice to cleanse all input you are given. It only takes one mistake with a "I won't need to cleanse the input here" and you've got yourself a nice gaping hole.

[hngrfghtr]

SELECT * from some_table ORDER BY 1 LIMIT $var,10

What if $var is "10; DROP TABLE some_table; --" ? The complete statement would look like
SELECT * from some_table ORDER BY 1 LIMIT 10; DROP TABLE some_table; --,10

Depending on the privilege config and whether stack queries are allowed, some_table might be gone.

The bottom line is we don't want to guess what $var could be. We know what is should be. So make sure it is a positive integer before passing it to SQL.