Is this a valid MySQL injection concern?

StackOverflow https://stackoverflow.com/questions/21706577

Obviously the easiest way in which MySQL injection is used is through GET variables.

However in some of my more complex pages I use PHP Include as such:

$template = "template-id";
include($_SERVER['DOCUMENT_ROOT']."/mandrill/sender.php");

That is $template is used in the sender.php file to query a database. Is it a valid concern that a hacker could create a malicious PHP file and include the sender.php file and use the $template variable to inject code?

Should I be protecting against this or is this over engineering for the majority of use cases?

有帮助吗?

解决方案

This is an issue of security settings on your server. If it's setup properly, it shouldn't be possible for a hacker to do anything like that.

The two main vulnerabilities would be:

  1. If register globals is enabled and you haven't filled $template with a value.
  2. If you somehow allow unauthorised users to upload their own PHP scripts to your server (which is the only way someone can include your PHP script).

The first one should never be an issue as register globals should always be disabled. You should also initialise variables rather than leaving them unset.

The second one is more complex, but shouldn't be an issue unless you've deliberately opened up your security settings. You should normally have suitable file permissions set to prevent Apache (or other webserver user/group) from adding/modifying the main site files, and so on.

With that said, if someone can upload their own PHP scripts to your server, then all bets are off. SQL injection becomes irrelevant at that point because they can probably just as easily access the database directly.

其他提示

All dynamically interpolated values must be subject to rigid escaping or binding as parameters. Treat any and all variables as if they contain the plague. Maybe they won't, but it's not going to hurt in order to make sure your SQL syntax is correct. That's all "SQL injection prevention" does anyway.

It's not possible.

As long as you don't let the user fill $template with any kind of input, nothing can happen.

Even though, make sure you don't expose the sender.php directly, either via .htaccess or by checking a constant in each file that you set somewhere in your config

许可以下: CC-BY-SA归因
不隶属于 StackOverflow
scroll top