php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #38733 mysql_error() can lead to Cross Site Scripting attacks
Submitted: 2006-09-06 13:03 UTC Modified: 2006-09-06 14:11 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: gmdarkfig at gmail dot com Assigned:
Status: Not a bug Package: MySQL related
PHP Version: 4.4.4 OS: all
Private report: No CVE-ID: None
View Developer Edit
 [2006-09-06 13:03 UTC] gmdarkfig at gmail dot com 
Description:
------------
The goal of the mysql_error() function is to return the error
text from the last MySQL function. This function can lead to
Cross Site Scripting attacks. To conduct this attack, somes
parameters are required. If an mysql function use a bad parameter provided by the attacker and if the mysql_error() result is returned to the user, this can be exploited to conduct Cross Site Scripting attack. This can be useful if the attacker has a restricted access to an mysql function.

Reproduce code:
---------------
<?php  //?db=<script>alert(123)</script>
$link = mysql_connect("localhost", "root", "");
$restrictedaccess = filter_no_hml_data($_GET['db']);
mysql_select_db($restrictedaccess, $link);
echo mysql_errno($link) . ": " . mysql_error($link). "\n";
// MySQL functions list: http://www.php.net/manual/en/ref.mysql.php
?>

Expected result:
----------------
The html code is executed.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-09-06 13:06 UTC] gmdarkfig at gmail dot com 
Description:
------------
The goal of the mysql_error() function is to return the error
text from the last MySQL function. This function can lead to
Cross Site Scripting attacks. To conduct this attack, somes
parameters are required. If an mysql function use a bad parameter
provided by the attacker and if the mysql_error() result is returned to
the user, this can be exploited to conduct Cross Site Scripting attack.
This can be useful if the attacker has a restricted access to an mysql
function.

Reproduce code:
---------------
<?php  //?db=<script>alert(123)</script>
$link = mysql_connect("localhost", "root", "");
$restrictedaccess = filter_no_hml_data($_GET['db']);
mysql_select_db($restrictedaccess, $link);
echo mysql_errno($link) . ": " . mysql_error($link). "\n";
// MySQL functions list: http://www.php.net/manual/en/ref.mysql.php
?>

Expected result:
----------------
The html code is executed.
 [2006-09-06 13:13 UTC] tony2001@php.net 
mysql_error() and alike are for debugging purposes only, users MUST NOT see their output.
 [2006-09-06 14:11 UTC] gmdarkfig at gmail dot com 
It is not written in the mysql_error manual.
Many people return the result of the mysql_error function, see http://www.koders.com/?s=or+die+mysql_error&_%3Abtn=Search&_%3Ala=PHP&_%3Ali=*.
Users can alert the webmaster if they see an error.
They wouldn't have to display the error for security reasons but they do that.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Nov 03 05:00:01 2025 UTC