appdb security

[Chris Morgan]

I'm not sure we need these input checks.

Currently we should be protected be either calling addSlashes() when we call 
compile_insert_string() or by using syntax like:

$sQuery = "Select versionId from appVersion where 
appId='"$_REQUEST['appId']."';";

Who's '' around $_REQUEST should prevent the string from being interpreted as 
anything but a single value passed as the value of appId.

While it might seem like a good idea to add these input checks there are a LOT 
of input values to the appdb.  It might be more worth while to audit out the 
calls to 'query_appdb()' and make sure at the very least those aren't using 
the input values without wrapping them with ''.

Once we know that our current sql injection protection is solid we should 
probably consider doing this input protection.  It should be done across all 
input variables as once though, and probably with a single function so there 
isn't a lot of isset() and addslashes() calls added to the code.

Chris


On Wednesday 07 June 2006 9:31 pm, EA Durbin wrote:
> In my example I emailed to you I failed to filter $_REQUEST['catId'] before
> I passed it to isset which was wrong.
>
> I have submitted a patch for appbrowse.php, in which the data is correctly
> filtered before passing it to the rest of the script.
>
> it should first be
>
> $clean = array();
>
> $clean['catId'] = makeSafe( $_REQUEST['catId'] );
>
> then it should test it
>
> if( isset( $clean['catId'] ))
> {
>
> }