開発:セキュリティ:SQLインジェクション

提供:MoodleDocs
2010年1月28日 (木) 19:41時点におけるMitsuhiro Yoshida (トーク | 投稿記録)による版 (→‎何が危険ですか?)
移動先:案内検索

作成中です - Mitsuhiro Yoshida 2010年1月25日 (月) 16:11 (UTC)

このページは、Moodleセキュリティガイドラインの一部です。

何が危険ですか?

.../course/view.php?id=123 内にある、あなたのコードがURIから渡される「$id = 123」を使って、次のようなSQL文を実行すると想定しましょう。 SELECT FROM mdl_course WHERE id = $id; そして、あなたのコードが、わざわざパラメータを適切にクリーニングしないと想定しましょう。

邪悪なハッカーいより、URLが次のように編集されます:

.../course/view.php?id=123;DELETE+FROM+mdl_user

なぜ、これが非常に、非常に悪いことなのか、私があなたにお答えします。

Of course, depending on exactly what the database query is, the malicious input needs to be constructed appropriately, but that is just a matter of trial and error for Evil Hacker.

どのようにして、Moodleはこの問題を回避するのですか?

Once again, it is a case of being very suspicious of any input that came from outside Moodle. In the example above, $id should clearly have been cleaned by passing PARAM_INT to required_param.

It is more tricky with a query like UPDATE mdl_user SET lastname = '$lastname' WHERE id = $id; What happens when $lastname is "O'Brian"? Well, you have to escape the ' like this: "O\'Brian".

In Moodle 1.9, addslashes is applied automatically to all input you get via required_param or optional_param.

In Moodle 2.0 we completely avoid the dangerous process of building SQL by concatenating strings. In Moodle 2.0 the SQL would look like UPDATE mdl_user SET lastname = ? WHERE id = ?; and then we would pass an array of values array($lastname, $id) to the database along with the SQL.


What you need to do in your code

In Moodle 2.0

  • Use higher level dmllib methods, like get_record, whenever possible, so you do not have to create SQL yourself.
  • When you have to insert values into SQL statements, use place-holders to insert the values safely.

In Moodle 1.9

  • Use higher level dmllib methods, like get_record, whenever possible, so you do not have to create SQL yourself.
  • Data from required_param and optional_param have already had addslashes applied, ready to be used in database queries, but make sure you put single quotes round each value.
  • If you have loaded some data from the database, and then want to re-insert it, then apply addslashes or addslashes_object to it first.
  • Test your code by using a tool like sqlmap, or by manually trying tricky inputs like
< > & &lt; &gt; &amp; ' \' 碁 \ \\


What you need to do as an administrator

  • This is not something that administrators can do anything about (other than keeping your Moodle up-to-date).


関連情報

テンプレート:CategoryDeveloper

https://docs.moodle.org/4x/ja/index.php?title=開発:セキュリティ:SQLインジェクション&oldid=9690」から取得
Powered by MediaWiki