php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41389 unknow
Submitted: 2007-05-14 19:57 UTC Modified: 2007-05-14 20:52 UTC
From: bskandmon at hotmail dot com Assigned:
Status: Not a bug Package: MySQL related
PHP Version: 5.2.2 OS: unknow
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bskandmon at hotmail dot com
New email:
PHP Version: OS:

 

 [2007-05-14 19:57 UTC] bskandmon at hotmail dot com
Description:
------------
I'm french and I'm 15, so excuse me for my verry verry bad english. I've found an xss fail in mysql_error(). You've just to do a synthax error (whit " in my example) and write your script after the ".

Reproduce code:
---------------
$var = '"<script>alert(\'Hi ! Xss discovered !\')</script>';
$rep = mysql_query('SELECT pseudo FROM membres where pseudo = "'.$var.'"');
if (!$rep)
{
	echo '<br><b>Transmettre aux administrateurs : (via la page contact ou par mp) '.mysql_error().'</b>';
}
else
{
	return $rep;
}


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-05-14 20:52 UTC] johannes@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

mysql_error() just passed the original error message from the database. The function doesn\'t know what you are doing with the returned value. (logging ...) So no escaping can be done.

As a general notice: If the user can generate a MySQL error you have most likely a bigger problem than XSS: SQL injection.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 27 01:01:28 2024 UTC