[Care2x-general] Fw: Re: AW: [Care2002-developers] about patients and personnel in the same table

Lun Nov 15 15:12:19 CET 2004

Yes, you are right, that was just an example
so that people may realize the danger.

Look in 'google' about sql inject and you will
realize that the things can get more complex,
and not only in queries about 'users' and
'passwords', but about patient names or
clinical hisotry, for example, by people who
should not have access to that.. the 'injection'
may occur in a 'multi table' query for example,
with the password 'well' protected as you stated
here.. but with another unprotected field which
takes another user input and appends to the main
'protected' query.. People may even save
locally the html pages, modify them to avoid the
javascript checking code and use them to query
your database.. if the server script dosen't check
thoroughly the user input.. that's why I said about
php native functions (like addslashes, as Elpidio said)
or regexp functions (more restrictive so, more secure)

-
Daniel Ignat
PHP Programmer and SysAdmin

Robert Meggle wrote:
> Hi Daniel,
> 
> mysql 'sql inject' attack try :
> SQL query: SELECT * FROM uers WHERE user='".$user."' AND
> password='".$passwd."'"
> instead of
> SQL query: SELECT * FROM uers WHERE user="$user" AND password="$passwd"
> 
> The password: aa" or 1=1" will produce follwing (php) SQL-query:
> "SELECT * FROM uers WHERE user='test" AND password='aa\" or 1=1\"'
> instead of
> "SELECT * FROM uers WHERE user=test AND password=aa or 1=1"
> 
> Effecive no positive result for the bad gui.
> 
> When I saw the idea of patients and personel data in the same table it was
> also strange and new for me. But I think it's okay. Why not?
> 

-- 
Walter Alfonso Núnez Rivera
Médico - Programador
Pascual de Andagoya 140 Lima 32 Perú