Limit on number of queries from CGI or PHP (security)

* Rikul Patel <rikul7@yahoo.com> [001017 01:07] wrote:

Hi,

Is there any way I can restrict number of queries to
only one? Here's the problem:

If PHP script gets some data as input from user, and
PHP scripts tries to put this data into Postgresql,
what's keeping the user to modify the data in way to
have postgresql execute two queries.

So instead of some PHP script generating query like
"select * from table where text='some text' or id=1",
some malicious user could make it generate "select *
from table where text='some text' or id=1;delete from
table"

see php's addslashes() function.

--
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
"I have the heart of a child; I keep it in a jar on my desk."

So instead of some PHP script generating query like
"select * from table where text='some text' or id=1",
some malicious user could make it generate "select *
from table where text='some text' or id=1;delete from
table"

You're approaching this from wrong direction. Neither client part, nor
interface should be prohibited to run multiple queries in a single call.
As to your example, first of all, you can't disclose your tables and let
anyone to enter raw SQL statements and sleep tight. UI must be only allowed
to take parameters, and build the queries on its own, or pass the params
for further processing to another level.
Again, if `some malicious user could make [some PHP script]' generate a
dangerous query, the problem is with the script. Read the params, wipe out
all control octets, including URLencoded ones, escape all potentially
dangerous chars, like ' " and ; Enclose query params for non-numeric fields
in ' restrict params' content to known good values whereever possible. All
the job must be done by UI or underlying level. DB i/f must receive
perfectly valid queries.
On the other hand, DB interface can _never_ rely upon the fact that it
will always receive valid params. Additional checks must be performed,
because bypassing restrictions applied on visitor's side is as easy as
telnetting to port 80. Bypassing CGI restrictions is not as easy, but still
very possible.
Last not least. This is not a recipe, let alone a panacea. Always watch
your back and never trust the trust.

G'luck

Ed

--

Well I tried to be meek
And I have tried to be mild
But I spat like a woman
And I sulked like a child
I have lived behind the walls
That have made me alone
Striven for peace
Which I never have known

Dire Straits, Brothers In Arms, The Man's Too Strong (Knopfler)

At 1:00 AM -0700 10/17/00, Rikul Patel wrote:

Hi,

Is there any way I can restrict number of queries to
only one? Here's the problem:

If PHP script gets some data as input from user, and
PHP scripts tries to put this data into Postgresql,
what's keeping the user to modify the data in way to
have postgresql execute two queries.

So instead of some PHP script generating query like
"select * from table where text='some text' or id=1",
some malicious user could make it generate "select *
from table where text='some text' or id=1;delete from
table"

I don't know if this is possible - but what I do is generally give
the user as little control of the generation of the query as
possible. I generally generate sql statements in a way that make it
difficult (I think) to construct a malicious query.

You also could parse the generated sql before executing it, watching
out for such words as 'delete' or 'update' if that is never going to
be the intention of the query in that instance.

Michelle
--
---------------------------
Michelle Murrain, President
Norwottuck Technology Resources
mpm@norwottuck.com

For the most part, everyone's answers are accurate. The interface and
database you design needs to be tighter to prevent that.

One topic that no one mentioned is database security. For the user that the
php script runs under, start by restricting it acces to what it doesn't
need. If they are only allowed querying information, don't let them update,
delete, etc.

Second, check the query string for suspicious characters. ie more semi
colons than needed.

When letting people enter actual SQL queries, you have to treat it like they
are sitting at the server's console.

The best option is to have a form that they fill in and the script
constructs the query on its own... (as well as the user security enabled).

Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
----- Original Message -----
From: "Rikul Patel" <rikul7@yahoo.com>
To: <pgsql-general@postgresql.org>
Sent: Tuesday, October 17, 2000 4:00 AM
Subject: [GENERAL] Limit on number of queries from CGI or PHP (security)

I noticed a lot of people gave some good advice, but one thing they forgot
to mention is the AddSlashes command of php. It basically does all the
necessary special-character escaping for you, so the worst thing someone
can do by enterring bad data in your forms is bring up a page with bad
results. It works like this:

$pgResults=pgExec($dbCon, "SELECT field1, field2 FROM table WHERE field1 =
'" . AddSlashes($FormVar) . "'");

It's also a VERY good idea to do some basic sanity checking on all your
form data before even starting to build a query string. Ie, if you are
expecting $PageNumber to be an integer, then do a

if (!ereg("[![:digit:]]", $PageNumber)) { print "Bad form data!"; exit; }

At the top of your script. It's annoying to have to validate ALL your
variables (especially when you get into forms that have 15-20 fields) but
it's necessary if you don't want some script kiddy to come along and screw
up your site.

At 05:00 AM 10/17/00, Rikul Patel wrote: