Isaac Gonzalez wrote:
at what level can this be exploited?
From the wiki interface?
Or from MySQL?
What if there is a firewall in front of MySQL?
For some general background on SQL injection attacks please see:
http://en.wikipedia.org/wiki/SQL_injection
Always, *always* escape your input strings when manually constructing SQL
statements. This should have been impressed upon you when you first started
learning about SQL, but it's easy to pick up bad habits with the large amount of
sloppy example code out there.
If using PHP and MySQL directly, use the mysql_real_escape_string() function.
For documentation please see:
http://www.php.net/mysql_real_escape_string
The code that was given above takes the data from a particular user record's
user_options field and pastes it directly into an SQL statement. The existence
of "'" or "\" characters in that field could be abused to
completely change the
meaning of the resulting SQL statement when someone next runs that script, by
closing the string literal and setting the value of other fields on every user
record.
If the account being read from is secure, and nobody ever makes a mistake, you
might never have a problem. Or you might just get SQL errors when you have a
"'"
in there by mistake. But it does increase your chance of problems to have this
insecure system, and if you have that you likely have other insecure code
written similarly.
-- brion vibber (brion @
pobox.com)