When Ajax Gets Abused
April 22nd, 2006 | Published in JavaScript/AJAX, PHP
The programmer who wrote this code could have written scary code without Ajax, but this takes the cake:
function saveform()
{
var firstName = escapeSql(mainForm.elements.txtFirstName.value);
var lastName = escapeSql(mainForm.elements.txtLastName.value);
/* … */
var offerCode = escapeSql(mainForm.elements.txtOfferCode.value);<p> <span style="color: #003366; font-weight: bold;">var</span> code =<br />‘ $cn = mssql_connect($DB_SERVER, $DB_USERNAME, $DB_PASSWORD) ’ +
‘ or die("ERROR: Cannot Connect to $DB_SERVER"); ‘ +
‘ $db = mssql_select_db($DB_NAME, $cn); ’ +
‘ ‘ +
‘ if (mssql_query("SELECT 1 FROM APPS WHERE SSN=\’‘+ssn+‘\’", $cn)) ‘ +
‘ { $ins = false; } ’ +
‘ else ‘ +
‘ { $ins = true; } ‘ +
‘ ‘ +
‘ if ($ins) { ’ +
‘ $sql = "INSERT INTO APPS (FIRSTNM, LASTNM, …, OFFERCD) VALUES ("; ‘ +
‘ $sql+= "\’‘+firstName+‘\’,"; ‘ +
‘ $sql+= "\’‘+lastName+‘\’,"; ’ +
‘ $sql+= "\’‘+offerCode+‘\’)"; ‘ +
‘ ‘ +
‘ /* … */ ’ +
‘ ‘ +
‘ mssql_query($sql, $cn); ’ +
‘ mssql_close($cn); ’;execPhp(code);
}
This reminds us to be very strict with what we take in on the server side. Any old PHP? probably not a good thing
Scary!
(Via Ajaxian Blog.)
