From 33667d61b7b49cab39c6cae0f19167f446dc5d71 Mon Sep 17 00:00:00 2001 From: Gyozo Papp Date: Mon, 4 Feb 2002 11:51:22 +0000 Subject: [PATCH] some spelling errors and typos corrected git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@69463 c90b9560-bf6c-de11-be94-00142212c4b1 --- chapters/security.xml | 44 +++++++++++++++++++++---------------------- security/index.xml | 44 +++++++++++++++++++++---------------------- 2 files changed, 44 insertions(+), 44 deletions(-) diff --git a/chapters/security.xml b/chapters/security.xml index 62b292e930..f36ecf4646 100644 --- a/chapters/security.xml +++ b/chapters/security.xml @@ -1,5 +1,5 @@ - + Security @@ -570,13 +570,13 @@ if (!ereg('^[^./][^/]*$', $username)) Encrypted Storage Model - SSL/SSH protects data traveling from the client to the server, SSL/SSH + SSL/SSH protects data travelling from the client to the server, SSL/SSH does not protect the persistent data stored in a database. SSL is an on-the-wire protocol. Once an attacker gains access to your database directly (bypassing the - webserver), the stored sensitive data may be exposed or misused unless, + webserver), the stored sensitive data may be exposed or misused, unless the information is protected by the database itself. Encrypting the data is a good way to mitigate this threat, but very few databases offer this type of data encryption. @@ -613,7 +613,7 @@ $query = sprintf("SELECT 1 FROM users WHERE name='%s' AND pwd='%s';", $result = pg_exec($connection, $query); if (pg_numrows($result) > 0) { - echo "Wellcome, $username!"; + echo "Welcome, $username!"; } else { echo "Authentication failed for $username."; @@ -653,8 +653,9 @@ else { @@ -663,22 +664,18 @@ $result = mysql_query($query); is encoded into the URL. The script expects that the incoming $offset is decimal number. However, someone tries to break in with appending urlencode'd form of the - following to the URL (PostgreSQL): + following to the URL - - - or in case of using MySQL: - - - A feasible way to gain passwords is to circumvent your search result pages. - What the attacker has to do is only trying if there is a submitted filter - setting handled not properly. These filters are commonly set in a previous - form to customize WHERE, ORDER BY, LIMIT and OFFSET - clauses in SELECT statements. If your database supports - the UNION construct, the attacker may try to append an - entire query to the original one to list passwords from an arbitrary table. - Using encrypted password fields is strongly encouraged. + What the attacker needs only is to try if there is any submitted variable + used in SQL statement which is not handled properly. These filters can be set + commonly in a preceding form to customize WHERE, ORDER BY, + LIMIT and OFFSET clauses in SELECT + statements. If your database supports the UNION construct, + the attacker may try to append an entire query to the original one to list + passwords from an arbitrary table. Using encrypted password fields is + strongly encouraged. Listing out articles ... and some passwords (any database server) @@ -714,6 +712,7 @@ FLUSH PRIVILEGES; $query = "SELECT id, name, inserted, size FROM products WHERE size = '$size' ORDER BY $order LIMIT $limit, $offset;"; +$result = odbc_exec($conn, $query); ]]> </programlisting> </example> @@ -760,6 +759,7 @@ $query = "UPDATE usertable SET pwd='$pwd' WHERE uid='$uid';"; <![CDATA[ // $uid == ' or uid like'%admin%'; -- $query = "UPDATE usertable SET pwd='...' WHERE uid='' or uid like '%admin%'; --"; + // $pwd == "hehehe', admin='yes', trusted=100 " $query = "UPDATE usertable SET pwd='hehehe', admin='yes', trusted=100 WHERE ...;" ]]> @@ -844,7 +844,7 @@ $result = mssql_query($query); </listitem> <listitem> <para> - If the application waits for numeric input, consider to verify data + If the application waits for numerical input, consider to verify data with <function>is_numeric</function>, or silently change its type using <function>settype</function>, or use its numeric representation by <function>sprintf</function>. @@ -874,7 +874,7 @@ $query = sprintf("SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET % <listitem> <simpara> Do not print out any database specific information, especially - about the schema, no matter what happens. See also <link + about the schema, by fair means or foul. See also <link linkend="security.errors">Error Reporting</link> and <link linkend="ref.errorfunc">Error Handling and Logging Functions</link>. </simpara> diff --git a/security/index.xml b/security/index.xml index 62b292e930..f36ecf4646 100644 --- a/security/index.xml +++ b/security/index.xml @@ -1,5 +1,5 @@ <?xml version="1.0" encoding="iso-8859-1"?> -<!-- $Revision: 1.42 $ --> +<!-- $Revision: 1.43 $ --> <chapter id="security"> <title>Security @@ -570,13 +570,13 @@ if (!ereg('^[^./][^/]*$', $username)) Encrypted Storage Model - SSL/SSH protects data traveling from the client to the server, SSL/SSH + SSL/SSH protects data travelling from the client to the server, SSL/SSH does not protect the persistent data stored in a database. SSL is an on-the-wire protocol. Once an attacker gains access to your database directly (bypassing the - webserver), the stored sensitive data may be exposed or misused unless, + webserver), the stored sensitive data may be exposed or misused, unless the information is protected by the database itself. Encrypting the data is a good way to mitigate this threat, but very few databases offer this type of data encryption. @@ -613,7 +613,7 @@ $query = sprintf("SELECT 1 FROM users WHERE name='%s' AND pwd='%s';", $result = pg_exec($connection, $query); if (pg_numrows($result) > 0) { - echo "Wellcome, $username!"; + echo "Welcome, $username!"; } else { echo "Authentication failed for $username."; @@ -653,8 +653,9 @@ else { @@ -663,22 +664,18 @@ $result = mysql_query($query); is encoded into the URL. The script expects that the incoming $offset is decimal number. However, someone tries to break in with appending urlencode'd form of the - following to the URL (PostgreSQL): + following to the URL - - - or in case of using MySQL: - - - A feasible way to gain passwords is to circumvent your search result pages. - What the attacker has to do is only trying if there is a submitted filter - setting handled not properly. These filters are commonly set in a previous - form to customize WHERE, ORDER BY, LIMIT and OFFSET - clauses in SELECT statements. If your database supports - the UNION construct, the attacker may try to append an - entire query to the original one to list passwords from an arbitrary table. - Using encrypted password fields is strongly encouraged. + What the attacker needs only is to try if there is any submitted variable + used in SQL statement which is not handled properly. These filters can be set + commonly in a preceding form to customize WHERE, ORDER BY, + LIMIT and OFFSET clauses in SELECT + statements. If your database supports the UNION construct, + the attacker may try to append an entire query to the original one to list + passwords from an arbitrary table. Using encrypted password fields is + strongly encouraged. Listing out articles ... and some passwords (any database server) @@ -714,6 +712,7 @@ FLUSH PRIVILEGES; $query = "SELECT id, name, inserted, size FROM products WHERE size = '$size' ORDER BY $order LIMIT $limit, $offset;"; +$result = odbc_exec($conn, $query); ]]> </programlisting> </example> @@ -760,6 +759,7 @@ $query = "UPDATE usertable SET pwd='$pwd' WHERE uid='$uid';"; <![CDATA[ // $uid == ' or uid like'%admin%'; -- $query = "UPDATE usertable SET pwd='...' WHERE uid='' or uid like '%admin%'; --"; + // $pwd == "hehehe', admin='yes', trusted=100 " $query = "UPDATE usertable SET pwd='hehehe', admin='yes', trusted=100 WHERE ...;" ]]> @@ -844,7 +844,7 @@ $result = mssql_query($query); </listitem> <listitem> <para> - If the application waits for numeric input, consider to verify data + If the application waits for numerical input, consider to verify data with <function>is_numeric</function>, or silently change its type using <function>settype</function>, or use its numeric representation by <function>sprintf</function>. @@ -874,7 +874,7 @@ $query = sprintf("SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET % <listitem> <simpara> Do not print out any database specific information, especially - about the schema, no matter what happens. See also <link + about the schema, by fair means or foul. See also <link linkend="security.errors">Error Reporting</link> and <link linkend="ref.errorfunc">Error Handling and Logging Functions</link>. </simpara>