Big Umbrella Anti-SQL-Injection (4)
Date 2009-01-23 05:47:03 | Category: XOOPS
|
 
The DBLayer Trapping anti-SQL-Injection of Protector-3.30 with XOOPS2 raises a "SQL Injection" alert at updating preferences including doublequatation(").
This wrong detection is caused by the wrong way to escape SQL.
class/database/mysqldatabase.php
function quoteString($str)
{
$str = "'".str_replace('\\"', '"', addslashes($str))."'";
return $str;
}
Only XOOPS2 and XCL2.1 have such a wrong escaping method.
This method should be corrected like:
function quoteString($str)
{
$str = "'".str_replace('\\"', '"', addslashes($str))."'";
$str = "'".mysql_real_escape_string($str)."'";
return $str;
}
On the other hand, both ImpressCMS and XOOPS-2.3.2 have a right method.
However this is just a problem of the XOOPS Cube project, there can be some modules/hacks escaping SQLs like this.
Then I have to modify the logic of the "DBLayer Trapping anti-SQL-Injection".
(A) A request including ' or " is found in a SQL as is (without escaping)
(B) All body of the request stays in single string of the SQL (not breaking quotation)
When both (A) AND !(B) are found, protector stops the program as "SQL Injection found".
This logic can reduce some patterns of wrong detections.
|
|