Inyección de SQL

La inyección SQL es un método de ataque que utiliza vulnerabilidades presente en una aplicación en el nivel de validación de las entradas.

When successful, the attack allows the attacker to inject data into an existing SQL query. The attacker may then be able to fetch private data, cause a denial of service or cause other unintended responses. In the worst case, the injected code would allow the attacker to gain full control of the system by exploiting multiple vulnerabilities in the database server, system utilities and operating system.

$limit = $wgRequest->getVal( 'limit' );
$res = $db->query( "SELECT * from kitties LIMIT $limit" );

$limit = $wgRequest->getVal( 'limit' );
$limit = intval( $limit ); // OPTIONAL validation
$res = $db->select( 'kitties',
                    '*',
                    false,
                    __METHOD__,
                    array( 'LIMIT' => $limit ) // REQUIRED automatic escaping
);

See Manual:Database access for more recent approaches to building SQL queries using the SelectQueryBuilder class.

?limit=%201%20union%20select%20user_email%20from%20user;

MediaWiki has a custom SQL generation interface which has proven to be effective for eliminating SQL injection vulnerabilities. The SQL generation interface also provides DBMS abstraction and features such as table prefixes.

• avoid using direct SQL queries at all costs
• review Manual:Acceso a base de datos and use the functions provided in Database.php
• read the The Open Web Application Security Project's page on SQL injection (http://www.owasp.org/index.php/SQL_Injection)
• The SQL Injection Wiki: http://www.sqlinjectionwiki.com/