Thread

  1. disable multiple queries

    Poul L. Christiansen <plc@faroenet.fo> — 2000-08-02T12:28:05Z

    Hi
    
    I'm developing an Cold Fusion (similar to PHP) application and I have a
    security problem. When I load a page "test.cfm?articleid=5" someone can
    alter the URL to
    "test.cfm?articleid=5;create%20table%20plc%20(plc%20int2)" if the hacker
    wanted to create a table.
    The sql passed to PostgreSQL is: "select * from article where articleid
    = #Url.ArticleId#"
    Which means that anybody can pass the sql that they like to PostgreSQL
    by using ";" to separate the queries. This is not good.
    
    I could off course verify the input and reject it if it wasn't a number,
    but I have almost 2000 different queries with all sorts of input (yes,
    it's a big app.).
    
    Can't I somehow disable multiple queries pr. SQL string so that ;
    doesn't work?
    
    I don't know if this affects PHP apps.
    
    I'm using PostgeSQL 7.0.0 installed on Redhat 6.1 with RPM and the ODBC
    driver from Insight Distribution Systems 6.40.00.08 on windows NT 4.0.
    
    Thanks,
    Poul L. Christiansen
    
    
    
  2. Re: disable multiple queries

    brianb-pggeneral@edsamail.com — 2000-08-02T14:27:13Z

    Poul L. Christiansen writes:
    
    > I could off course verify the input and reject it if it wasn't a number,
    > but I have almost 2000 different queries with all sorts of input (yes,
    > it's a big app.).
    > 
    > Can't I somehow disable multiple queries pr. SQL string so that ;
    > doesn't work?
    > 
    > I don't know if this affects PHP apps.
    
    It's not Coldfusion specific. It affects all web applications, regardless
    of development platform that blindly plug form data into SQL queries
    without checking it.
    
    Brian
    --
    Brian Baquiran <brianb@edsamail.com>
    http://www.baquiran.com/  AIM: bbaquiran 
    Work: +63(2)7182222       Home: +63(2) 9227123
    
    I'm smarter than average. Therefore, average, to me, seems kind of stupid. 
    People weren't purposely being stupid. It just came naturally.
                                  -- Bruce "Tog" Toganazzini
    
    
  3. Re: disable multiple queries

    Tom Lane <tgl@sss.pgh.pa.us> — 2000-08-02T20:25:47Z

    "Poul L. Christiansen" <plc@faroenet.fo> writes:
    > I'm developing an Cold Fusion (similar to PHP) application and I have a
    > security problem. When I load a page "test.cfm?articleid=5" someone can
    > alter the URL to
    > "test.cfm?articleid=5;create%20table%20plc%20(plc%20int2)" if the hacker
    > wanted to create a table.
    > The sql passed to PostgreSQL is: "select * from article where articleid
    > = #Url.ArticleId#"
    > Which means that anybody can pass the sql that they like to PostgreSQL
    > by using ";" to separate the queries. This is not good.
    
    > I could off course verify the input and reject it if it wasn't a number,
    > but I have almost 2000 different queries with all sorts of input (yes,
    > it's a big app.).
    
    > Can't I somehow disable multiple queries pr. SQL string so that ;
    > doesn't work?
    
    No, and if you could it'd still be a pretty incomplete solution.
    Consider for example
    	select * from article where articleid = 123
    		UNION select-everything-from-some-other-table.
    Not to mention possible risks from invoking functions, changing SELECT
    to SELECT FOR UPDATE to cause denial-of-service problems, etc.
    
    I'd suggest validating your input if you are worried about attacks
    of this nature.  It's the only real defense.
    
    			regards, tom lane