[VIM] On SQL injection and PHP mysql_query...

Sullo sullo at cirt.net
Mon Jun 26 16:42:07 EDT 2006

Quoting "Heinbockel, Bill" <heinbockel at mitre.org>:

>> From line 175 in torrents.php:
>> $query = "SELECT summary.info_hash as hash, ... FROM summary
>> LEFT JOIN namemap ON summary.info_hash = namemap.info_hash
>> LEFT JOIN categories ON categories.id = namemap.category
>> $where ORDER BY $order $by $limit";
> Therefore, the only opportunity for SQL command execution
> is via multiple SQL statements - multiple statements
> separated via semicolons ";".

Won't it allow you to use a union, such as:
  'union select ...' when injected into $limit?

mysql should be happy with the syntax as long as ' isn't filtered out  
somewhere along the line. Now, I'm not sure if you can make it do  
something useful via the union select...


http://www.cirt.net/      |     http://www.osvdb.org/

More information about the VIM mailing list