Example 15-7. Listing out articles ... and some passwords (any database server)
<?php
$query = "SELECT id, name, inserted, size FROM products
WHERE size = '$size'
";
$result = odbc_exec($conn, $query);
?>
The static part of the query can be combined with another
SELECT statement which reveals all passwords:
'
union select '1', concat(uname||'-'||passwd) as name, '1971-01-01',
'0' from usertable;
--
If this query (playing with the ' and --) were assigned
to one of the variables used in $query, the query beast
awakened.
SQL UPDATE's are also susceptible to attack. These queries
are also threatened by chopping and appending an entirely
new query to it. But the attacker might fiddle with the
SET clause. In this case some schema information must be
possessed to manipulate the query successfully. This can
be acquired by examining the form variable names, or just
simply brute forcing. There are not so many naming conventions
for fields storing passwords or usernames. Example 15-8.
From resetting a password ... to gaining more privileges
(any database server)
<?php
$query = "UPDATE usertable SET pwd='$pwd' WHERE uid='$uid';";
?>
But a malicious user sumbits the value ' or uid like'%admin%';
-- to $uid to change the admin's password, or simply sets
$pwd to "hehehe', admin='yes', trusted=100 " (with
a trailing space) to gain more privileges. Then, the query
will be twisted:
<?php
// $uid == ' or uid like'%admin%'; --
$query = "UPDATE usertable SET pwd='...' WHERE uid=''
or uid like '%admin%'; --";
// $pwd == "hehehe', admin='yes', trusted=100 "
$query = "UPDATE usertable SET pwd='hehehe', admin='yes',
trusted=100 WHERE
...;";
?>
A frightening example how operating system level commands
can be accessed on some database hosts.
