CodeSOD: A Botched Escape

, Software Pundits
This post was originally published on this site

The Daily WTF

Nancy was recently handed a pile of “modern” PHP that weighs in at tens of thousands of lines of code.

This is how every query is executed:

function getFoo($bar) { $bar = my_escape($bar); $sql = ” select * from foo where bar = ‘” . $bar . “‘ “; return do_query($sql); }

Yes, this is a SQL injection vulnerability. No, there is no part of the application which uses parameterized queries. But wait, they call my_escape. That must be safely escaping the input so it can be used as a query param safely, right?

function my_escape($data) { if ( !isset($data)) { return ”; } if ( is_numeric($data) ) { return $data; } if(empty(trim($data))) { return ”; } $non_displayables = array( ‘/%0[0-8bcef]/’, // url encoded 00-08, 11, 12, 14, 15 ‘/%1[0-9a-f]/’, // url encoded 16-31 ‘/[x00-x08]/’, // 00-08 ‘/x0b/’, // 11 ‘/x0c/’, // 12 ‘/[x0e-x1f]/’ // 14-31 ); foreach (

To read the full article click on the 'post' link at the top.

Date

You May Also Like

A Tapestry of Threads

Error'd: Are You Old Enough to Know Better?

Perfect Uptime

Classic WTF: Working Around, Over and Through the Process

CodeSOD: Constantly Magic

CodeSOD: In House Refactoring

More Posts From: Software Pundits

Error'd: No Time Like the Present

CodeSOD: Don't Date Me

CodeSOD: Expressing a Leak

Representative Line: Broken Up With

COGNOS: Fast, Private & On-Demand Answers for Business Operations

CodeSOD: Where is the Validation At?