What Is The Point Of This Code? 
Author Message
 What Is The Point Of This Code?

Hi There,

I'm new to PHP, but mildly experienced with MySQL and Perl.  Playing
with a certain package, I ran across this little snippit in some image
upload code:

    if(substr_count($uploadimage_type, ";"))
    {
        $phoo = explode(";", $uploadimage_type);
        $my_image_type = $phoo[0];
    }
    else
        $my_image_type = $uploadimage_type;

It then goes on to make sure $my_image_type is an allowed type.

The first time I looked at this I went "Eh?  What's this?"  Then,
following a recent advisory about a web CMS system, the light came
on: SQL Injection Attack.

But I still don't see it.  As I understand it, the _type is supplied
by the browser, not directly user input.  And, in any event, the code
never actually uses $my_image_type in an SQL query string.  In fact:
after it checks it against an array of allowed types, it's never used
again.

Any ideas on what the purpose of the above code snippit might be?

Personally, I'm kinda suspectin' the block of code might have been
"borrowed" from existing code elsewhere and not well understood or
perhaps the snippit was left in by sheer oversight.  Or do some
browsers mangle the _type data?

Thanks In Advance,
Jim
--
Jim Seymour                    | PGP Public Key available at:

                               |
                               | http://www.*-*-*.com/



Mon, 25 Apr 2005 21:44:05 GMT  
 What Is The Point Of This Code?


[snip]

Quote:

> If its definitely not use then you might be right.. but if you dont
> know enough to figure out what it did then are you sure you know
> enough that it isnt being used.. does the scrpt your looking at get
> required by another script maybe that then uses the variable?

I guess I should have mentioned that I understood the code--just not
the reason why it was there.  No, this script is free-standing.

I suppose my main question is probably answered.  Thanks.

I guess my question at this point would be: how is the <blurfl>_type
variable created?  The PHP docs say something to the effect of "it's
generated by the browser."  What does that mean, exactly?  Does the
browser "intelligently" determine the MIME type and put a filename
extension to match in there?  Or something like that?

I realize that, in the end, it really doesn't matter.  If it Came
From Outside, no matter *how* it got there, it's untrusted.  Mainly
curious about the... innards :).

Regards,
Jim
--
Jim Seymour                    | PGP Public Key available at:
WARNING: The "From:" address   | http://www.uk.pgp.net/pgpnet/pks-commands.html
is a spam trap.  DON'T USE IT! |



Tue, 26 Apr 2005 00:36:17 GMT  
 What Is The Point Of This Code?


Quote:
> the _type variable containt the MIME type...

> if you upload a GIF picture it contains 'image/gif', if you upload a JPEG it
> contains 'image/jpeg' or 'image/pjpeg' or a PNG it contains 'image/png' or
> 'image/x-png'..

> so if you want to check if a uploaded picture is gif you can simply write:

> if( upload_type == 'image/gif' ) { ....
> } else { print ('Picture is not GIF. Not Valid');

> something like this..

[snip]

That's the way I understood it.

So, *assuming* that whatever's playing browser is playing it
straight (I know: never *assume*): then there's no way an SQL
injection attack could come from that vector, correct?

Regards,
Jim
--
Jim Seymour                    | PGP Public Key available at:
                               | http://www.uk.pgp.net/pgpnet/pks-commands.html
                               |
                               | http://jimsun.LinxNet.com



Tue, 26 Apr 2005 03:47:09 GMT  
 What Is The Point Of This Code?
im not sure what the author of this text meant it to do.. as I understand it
the _type variable contains the type of the file uploaded, 'image/jpeg' and
so on.. So if someone write: '1; DROP TABLE test;' that wouldnt be the type
of the file and the type variable would therefore not contain any ;. So I
would have changed the $uploadimage_type with $uploadimage_name, as this is
the original name of the file uploaded. If a SQL Injection Attach is
attempted it would be this variable that contained the code.

Thats how I understand it..


Quote:


> > the _type variable containt the MIME type...

> > if you upload a GIF picture it contains 'image/gif', if you upload a
JPEG it
> > contains 'image/jpeg' or 'image/pjpeg' or a PNG it contains 'image/png'
or
> > 'image/x-png'..

> > so if you want to check if a uploaded picture is gif you can simply
write:

> > if( upload_type == 'image/gif' ) { ....
> > } else { print ('Picture is not GIF. Not Valid');

> > something like this..
> [snip]

> That's the way I understood it.

> So, *assuming* that whatever's playing browser is playing it
> straight (I know: never *assume*): then there's no way an SQL
> injection attack could come from that vector, correct?

> Regards,
> Jim
> --
> Jim Seymour                    | PGP Public Key available at:
>                                |

http://www.uk.pgp.net/pgpnet/pks-commands.html

- Show quoted text -

Quote:
>                                |
>                                | http://jimsun.LinxNet.com



Tue, 26 Apr 2005 04:22:28 GMT  
 What Is The Point Of This Code?
Hi Jim!


Quote:


>[snip]

[...]
>I guess my question at this point would be: how is the <blurfl>_type
>variable created?  The PHP docs say something to the effect of "it's
>generated by the browser."  What does that mean, exactly?  Does the
>browser "intelligently" determine the MIME type and put a filename
>extension to match in there?  Or something like that?

Normally yes. But you coul also post the data with a PHP script and
then inject data in a SQL statement.

Quote:

>I realize that, in the end, it really doesn't matter.  If it Came
>From Outside, no matter *how* it got there, it's untrusted.  Mainly
>curious about the... innards :).

Exactly.

HTH, Jochen



Tue, 26 Apr 2005 04:27:21 GMT  
 What Is The Point Of This Code?

Quote:
>So, *assuming* that whatever's playing browser is playing it
>straight (I know: never *assume*): then there's no way an SQL
>injection attack could come from that vector, correct?

        telnet www.yourhost.com http

I can then type in any HTTP request I want, with no browser getting
in the way of trying to break into your system.

                                        Gordon L. Burditt



Tue, 03 May 2005 04:14:26 GMT  
 What Is The Point Of This Code?

Quote:



>> the _type variable containt the MIME type...

>> if you upload a GIF picture it contains 'image/gif', if you upload a JPEG it
>> contains 'image/jpeg' or 'image/pjpeg' or a PNG it contains 'image/png' or
>> 'image/x-png'..

>> so if you want to check if a uploaded picture is gif you can simply write:

>> if( upload_type == 'image/gif' ) { ....
>> } else { print ('Picture is not GIF. Not Valid');

>> something like this..
> [snip]

> That's the way I understood it.

> So, *assuming* that whatever's playing browser is playing it
> straight (I know: never *assume*): then there's no way an SQL
> injection attack could come from that vector, correct?

I don't think the code snippet is a measure against SQL injection
attacks, but it's meant to handle cases like:

Content-type: image/png; name=foobar

See RFC 1341.

Regards...
                Michael



Thu, 05 May 2005 19:02:19 GMT  
 
 [ 8 post ] 

 Relevant Pages 

1. code with fixed-point or floating-point

2. Fixed point math in asm -HELP ME I 'am dying here

3. I am stuk CHECK my Code - access.txt (0/1)

4. hi i am tring to make some code that does this

5. I am not deaf, but am I mute?

6. embed point code size

7. E.I.P. Code point KILLS functionality

8. Point-of-Sale Printer Control Codes

9. Template conditional source code generation with embed points

10. credit card reader coding for Point Of Sales software

11. Fixed-point arithmetic coding

12. vhdl code for efficient sign multiplier for fixed point numbers required

 

 
Powered by phpBB® Forum Software