[Care2x-general] Fw: AW: [Care2002-developers] about patients and personnel in the same table

Vie Nov 12 16:32:00 CET 2004

Hi Daniel,

mysql 'sql inject' attack try :
SQL query: SELECT * FROM uers WHERE user='".$user."' AND
password='".$passwd."'"
instead of
SQL query: SELECT * FROM uers WHERE user="$user" AND password="$passwd"

The password: aa" or 1=1" will produce follwing (php) SQL-query:
"SELECT * FROM uers WHERE user='test" AND password='aa\" or 1=1\"'
instead of
"SELECT * FROM uers WHERE user=test AND password=aa or 1=1"

Effecive no positive result for the bad gui.

When I saw the idea of patients and personel data in the same table it was
also strange and new for me. But I think it's okay. Why not?

Robert

>
>
> Hi!
>
> I saw that also and it seems to me a little bit
> annoying to mix personnel and patients.. but you
> also are right about duplicate data if someone
> from the personnel gets sick..
>
> so, my suggestion is this (for the main developers
> of care2x): is it possible to put an unchecked
> 'check box' in the 'search person' form, so that
> you may 'include', *if you want* the personnel
> data (as an exception), in the search query?..
>
> or maybe better, 2 radio buttons:
>   - only personnel, only patients
> this way you will not have to look for all the
> patients (including the filter) either when looking
> for personnel..
>
> it is not difficult for the developer who has done
> that form, but it would be a great feature for the
> user. there is only one check box with a text, then
> a filter in the sql query..
>
> PS. I realized that you may use the '%' sql operator
> in a query.. I don't know if this is a 'feature' or
> a 'bug'. It may be a security breach. Are you aware
> of the 'sql inject' attacks? It seems that there is
> no expression checking on the 'person search' input
> text.. (but i recognize i didnt have the time to
> check the code. so, sorry if this isnt true, i just
> had it in my mind since a while and wanted to warn you)
>
> PSS Example of an mysql 'sql inject' attack (I hope
> to remember it correctly, but if not, you will grasp
> the idea):
>
> <FORM>... etc
> user: test
> password: aa" and ""="""
>                    ^^^^^^^ - this disables your original
> query if you dont check the user input (which should
> always be done, with a regular expresion and other
> mechanisms, like the native functions of php related
> to slashes, command parsing (see doc for exec(), etc )
>
> SQL query: SELECT * FROM uers WHERE user="$user" AND
> password="$passwd"
>
>
> Regards,
>
> --
> Daniel Ignat
> PHP Programmer and SysAdmin
>
>
> Elpidio Latorilla wrote:
> > Hello Walter,
> >
> > I just suggested that possibility based on my understanding of
> your idea to
> > separate the personal data of the hospital's personnel from the
> patient data.
> > Since the personal data are the same, you can use the same
> structure.  Of
> > course this means that once a hospital's employee gets sick and himself
> > becomes that hospital's patient, you might need to reenter his
> personal data
> > as a patient. This means double work and redundancy of data.
> >
> > I personally wanted to avoid this redundancy thats why there is
> currently only
> > one person data table and it also contains the data of the hospital's
> > personnel.
> >
> > But I understood your last posting that you might need a true
> separation so I
> > suggested the previous solution.  Please correct me if I am wrong.
> >
> > Elpidio
> >
> > On Wednesday 10 November 2004 16:33, Walter Nunez wrote:
> >
> >>Thank you Elpidio.
> >>but, in this table..personnel and patients
> >>¿ Why they share the same table as original design?
> >
> >
> >
> >

> >
>
>

-- 
Walter Alfonso Núnez Rivera
Médico - Programador
Pascual de Andagoya 140 Lima 32 Perú