[VIM] On SQL injection and PHP mysql_query...

Heinbockel, Bill heinbockel at mitre.org
Mon Jun 26 17:49:35 EDT 2006


>-----Original Message-----
>From: Steven M. Christey [mailto:coley at linus.mitre.org] 
>Sent: Montag, 26. Juni 2006 16:59
>To: Vulnerability Information Managers
>Cc: Heinbockel, Bill
>Subject: Re: [VIM] On SQL injection and PHP mysql_query...
>
>
>On Mon, 26 Jun 2006, Sullo wrote:
>
>> Won't it allow you to use a union, such as:
>>   'union select ...' when injected into $limit?
>
>My understanding is that the union has to happen before the order
by...
>
>Although information in this postgresql post suggests that you 
>might have
>a chance by using parentheses...
>
>  http://archives.postgresql.org/pgsql-sql/2003-09/msg00406.php
>
>although you'd probably need to get in an opening parenthesis 
>somehow, and
>maybe that's postgresql-specific.
>
>and here's a mysql comment on order by within parentheses for unions:
>
>  http://bugs.mysql.com/bug.php?id=11877
>
>- Steve
>

These links refer to performing a union on two independent SQL
statements, i.e., ([SQL Statement 1]) UNION ([SQL Statement 2])

What Sullo was talking about was something like:
[SQL Statement] ORDER BY age UNION ([SQL Statement 2])
which will not work, as it will impose an ordering
restriction on unrelated data.

The only chance for SQL inject would be:
[SQL Statement 1]; [SQL Statement 2]
which happens to be forbidden by the MySQL API.
NOTE: This has not been verified across all
databases and APIs, only on MySQL.


William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615 


More information about the VIM mailing list