The Daily WTF
Nancy was recently handed a pile of “modern” PHP that weighs in at tens of thousands of lines of code.
This is how every query is executed:
function getFoo($bar) { $bar = my_escape($bar); $sql = ” select * from foo where bar = ‘” . $bar . “‘ “; return do_query($sql); }
Yes, this is a SQL injection vulnerability. No, there is no part of the application which uses parameterized queries. But wait, they call my_escape. That must be safely escaping the input so it can be used as a query param safely, right?
function my_escape($data) { if ( !isset($data)) { return ”; } if ( is_numeric($data) ) { return $data; } if(empty(trim($data))) { return ”; } $non_displayables = array( ‘/%0[0-8bcef]/’, // url encoded 00-08, 11, 12, 14, 15 ‘/%1[0-9a-f]/’, // url encoded 16-31 ‘/[x00-x08]/’, // 00-08 ‘/x0b/’, // 11 ‘/x0c/’, // 12 ‘/[x0e-x1f]/’ // 14-31 ); foreach (
To read the full article click on the 'post' link at the top.