Take a look at another real-life example from an old Mambo version (Mambo
4.5
Stable
1.0.3
, pathway.php
file), easily compressed and customized:
$id = mosGetParam( $_REQUEST, 'id', 0 ); if ($id) { $database->setQuery( "SELECT title FROM #__categories WHERE id=$id" ); }
Code of this design is in innumerable software products, articles, and books even today. The user data are transferred unchecked directly to SQL commands. The $id
PHP variable with the already familiar mosGetParam()
auxiliary function comes directly from $_REQUEST
and thus, for example, from the URL. This attack is called SQL
Injection, and depending on type of database and application, is more or less terrible.
What would work in a lot of databases is to capitalize on the gap by means of the following URL:
http://servername/mambo/index.php?option=content&task=view&itemid=1&id=0;%20DROP%20TABLE% 20#__categories%3B
Now the SQL command with the user data looks as follows:
SELECT title FROM #__categories...