PEAK XOOPS - Big Umbrella Anti-SQL-Injection (4) in englishin japanese

Archive | RSS |
XOOPS : Big Umbrella Anti-SQL-Injection (4)
Poster : GIJOE on 2009-01-23 05:47:03 (13576 reads)

in englishin japanese
The DBLayer Trapping anti-SQL-Injection of Protector-3.30 with XOOPS2 raises a "SQL Injection" alert at updating preferences including doublequatation(").

This wrong detection is caused by the wrong way to escape SQL.


    function quoteString($str)
         $str = "'".str_replace('\\"', '"', addslashes($str))."'";
         return $str;

Only XOOPS2 and XCL2.1 have such a wrong escaping method.
This method should be corrected like:

    function quoteString($str)
         $str = "'".str_replace('\\"', '"', addslashes($str))."'";
         $str = "'".mysql_real_escape_string($str)."'";
         return $str;

On the other hand, both ImpressCMS and XOOPS-2.3.2 have a right method.

However this is just a problem of the XOOPS Cube project, there can be some modules/hacks escaping SQLs like this.

Then I have to modify the logic of the "DBLayer Trapping anti-SQL-Injection".

(A) A request including ' or " is found in a SQL as is (without escaping)
(B) All body of the request stays in single string of the SQL (not breaking quotation)

When both (A) AND !(B) are found, protector stops the program as "SQL Injection found".

This logic can reduce some patterns of wrong detections.


Related articles
Printer friendly page Send this story to a friend

Comments list

Username or e-mail:


Remember Me

Lost Password?

Register now!