LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Github compromised, or not?!

Github compromised, or not?!

Posted Mar 5, 2012 14:26 UTC (Mon) by XTF (guest, #83255)
In reply to: Github compromised, or not?! by epa
Parent article: Github compromised

> If a language or platform has a misfeature which makes it hard to write secure code, it is hard for experts in that language to see why it's a problem.

Exactly. How many SQL injection vulnerabilities are the result of PHP's mysql_query() design for example?

(Log in to post comments)

Github compromised, or not?!

Posted Mar 5, 2012 17:27 UTC (Mon) by ajross (subscriber, #4563) [Link]

Actually, if you want to pick on php, the register_globals() misfeature (now fixed) is a closer fit. Rails, (apparently, under the default idiom "everyone uses"), allowed an attacker to override fields in the model object via unexpected CGI paramters. PHP using register_globals() gadget suck the CGI parameters in as global variables.

Basically the same stupid mistake. It's a collision between convenience (representing query parameters as variables automatically without the need to explicitly parse/validate/declare/etc...) and safety (forgetting that the resulting variables are potentially from untrusted sources). Rails leans heavily on the DRY principle, and would be expected to be particularly susceptible to this kind of goof.

Github compromised, or not?!

Posted Mar 6, 2012 8:22 UTC (Tue) by Los__D (guest, #15263) [Link]

Wouldn't that be MySQL's mysql_query?

Github compromised, or not?!

Posted Mar 9, 2012 12:57 UTC (Fri) by knobunc (subscriber, #4678) [Link]

Nope. mysql_query() is PHP's dangerous by default interface to the mysql DB. There are better ways to do it, but that was one of the earliest, and is documented all over the place.

http://www.php.net/manual/en/function.mysql-query.php

The problem is that it makes it easy to forget to escape the parameters to your queries. Prefer something with placeholders/bind variables.

Github compromised, or not?!

Posted Mar 9, 2012 13:21 UTC (Fri) by Los__D (guest, #15263) [Link]

Ah, I was under the impression that mysql_query() was provided by MySQL AB.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds