[TYPO3-dev] Improvement against SQL injections (extension created)
ries van Twisk
typo3 at rvt.dds.nl
Sun Jun 17 16:14:49 CEST 2007
On Jun 17, 2007, at 8:40 AM, Ingo Renner wrote:
> ries van Twisk wrote:
>
> Hi Ries,
>
>> So right after the DB connection is created the SQL injection
>> delectation system is executed.
>> Currently it will try to find typical SQL injections
>> (inserts/updates/deletes)
>
> how about SELECTs? Rupi once showed how to get BE acces without
> needing
> an insert or update IIRR...
>
> So basically there shouldn't be any SQL in GET/POST
>
>
> Ingo
> _______________________________________________
hey Ingo,
if this was done using a union then I can catch that,
otherwise I can add a select to the match rules aswell,
it's not a complete list ad any suggestions are more then welcome.
Of course I need as much as suggestions from the list.
These are the current match rules:
$this -> matchArray = array (
array('match' => '/;(\ *)insert(\ +)into(\ +)/'), // INSERT
attach
array('match' => '/;(\ *)update(\ +).+(\ +)set(\ +)/'), //
UPDATE attach
array('match' => '/;(\ *)delete(\ +)from(\ +).+/'), // DELETE
attach
array('match' => '/\ +union\ +(all\ +|)select/'), // union attach
array('match' => '/(drop|create)(\ +)(database|table|user|
aggregate|cast|constraint\ +trigger|conversion|domain|function|group|
index|language|operator|operator\ +class|rile|rule|schema|sequence|
table|table\ +as|tablespace|trigger|type|view)\ /'), // drop/create
attacks
array('match' => "/'(\ +)OR(\ +)''='|'(\ +)\|\|(\ +)''='/"), //
OR attack
);
I just implemented an exception list option. So you can specify what
fields from GET/POST/COOKIE
can be removed from evaluation. This is usefull for forums where
textareas can contain SQL,
but is going to be correctly handled by the extension.
Ries
More information about the TYPO3-dev
mailing list