OSCommerce Product Manager for Windows
FS#261 - Over filtering of user input.
Attached to Project:
OSCommerce Product Manager
Opened by Mario A. Valdez-Ramirez (mvaldez) - Thursday, 01 September 2005, 09:41 GMT
Last edited by Mario A. Valdez-Ramirez (mvaldez) - Monday, 05 September 2005, 07:09 GMT
Opened by Mario A. Valdez-Ramirez (mvaldez) - Thursday, 01 September 2005, 09:41 GMT
Last edited by Mario A. Valdez-Ramirez (mvaldez) - Monday, 05 September 2005, 07:09 GMT
|
DetailsUser input is being overfiltered.
One user reported that double-quotes were being replaced by single-quotes, causing the HTML of his store to break. Even if the problem is in the HTML coding of his store, the application should not replace blindly all user input. Brute-force filtering to avoid SQL injection is not good idea. Also, the filtering routines in the application code do not filter the SQL comment sign (double-dash). We should only do what mysql_real_escape_string do. This is a Major severity bug. |
This task depends upon
Closed by Mario A. Valdez-Ramirez (mvaldez)
Monday, 05 September 2005, 07:09 GMT
Reason for closing:
Monday, 05 September 2005, 07:09 GMT
Reason for closing:
According to the docs here:
http://dev.mysql.com/doc/mysql/en/mysql-real-escape-string.html
we only need to escape backslash and single quotes.
Maybe the double dash also should be filtered.
Ok, we are filtering:
Double-dash (SQL comment), converted to single-dash.
Backslash (escaping), converted to double-backslash.
Single-quote, converted to escaped single-quote.
Carriage-return, converted to escape-r.
Linefeed, converted to escape-n.
EOF, deleted.
Backspace, deleted.
Tab, converted to single-space.
If we are searching, we also escape:
Percent (SQL wildcard), escaped.
Underline, escaped.