PEAK XOOPS - Big Umbrella Anti-SQL-Injection (4) in englishin japanese

Archive | RSS |
XOOPS
XOOPS : Big Umbrella Anti-SQL-Injection (4)
Poster : GIJOE on 2009-01-23 05:47:03 (13439 reads)

in englishin japanese
The DBLayer Trapping anti-SQL-Injection of Protector-3.30 with XOOPS2 raises a "SQL Injection" alert at updating preferences including doublequatation(").

This wrong detection is caused by the wrong way to escape SQL.

class/database/mysqldatabase.php


    function quoteString($str)
    {
         $str = "'".str_replace('\\"', '"', addslashes($str))."'";
         return $str;
    }

Only XOOPS2 and XCL2.1 have such a wrong escaping method.
This method should be corrected like:

    function quoteString($str)
    {
         $str = "'".str_replace('\\"', '"', addslashes($str))."'";
         $str = "'".mysql_real_escape_string($str)."'";
         return $str;
    }

On the other hand, both ImpressCMS and XOOPS-2.3.2 have a right method.

However this is just a problem of the XOOPS Cube project, there can be some modules/hacks escaping SQLs like this.

Then I have to modify the logic of the "DBLayer Trapping anti-SQL-Injection".

(A) A request including ' or " is found in a SQL as is (without escaping)
(B) All body of the request stays in single string of the SQL (not breaking quotation)

When both (A) AND !(B) are found, protector stops the program as "SQL Injection found".

This logic can reduce some patterns of wrong detections.

0 comments

Related articles
Printer friendly page Send this story to a friend

Comments list

Login
Username or e-mail:

Password:

Remember Me

Lost Password?

Register now!