Big Umbrella Anti-SQL-Injection(1)

Date 2009-01-07 04:37:49 | Category: PHP

in englishin japanese
There are a lot of XOOPS modules or PHP applications with SQL Injection still.

Protector can protect some patterns of SQL Injections.
It is just "some" instead of "all".

That's because Protector cannot distinguish attacks and fair requests just by REQUEST layer.

A word of "UNION" will be posted as "UNI-ON".

Such modification in REQUEST layer must be non-sense.

Then, Protector should judge them by both REQUEST layer and DB layer.

(a) doubtful requests are found
(b) ob_start()
(c) compare requests and outputs

SQL Injection:
(1) doubtful requests are found
(2) override DB layer
(3) compare requests and SQLs

It is not easy to implement (3) because Protector have to parse SQLs.
However, (2) will be the most problem for XOOPS.

Because there are no way to override DB layer.
I will suggest DB layer modification can be overridden for all core teams in the next entry.

This idea is based on JM2. (four years ago!)
He is the real hero for XOOPS

You can read more news at PEAK XOOPS.

The URL for this story is: