FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Is this a sign that my website can be SQL injected?





likeabreeze
Just tested my website in terms of SQL injection, here is the result:
1.The URL http://example.com/a.php?a=1&b=2 selects 8 items from the database.
2.The URL http://example.com/a.php?a=1&b=2' (notice the single quote) selects tens of thousands of items from the database with a timeout error.
I really don't know if that means my website can be SQL injected..
If it can be SQL injected, is that dangerous? what are u gonna do to hack me?
Gregoric
It depends whether you have a protection against SQL injection attacks in your PHP script that operates on MySQL. You may want to read some articles on the topic and insert several lines of code to prevent such attacks. The code mainly ensures that the call that are made to you database do not contain commandns that would, for example, wipe your whole database or do something else.

Also, I would recommend you to use $_POST method instead of $_GET or $_REQUEST, but that is another topic Smile
jmraker
SQL injections can be bad, they can create/delete databases, or tables, or table data. They can also output a query to a file that they can download.

Before you fix it you should output the sql query that it's actually running to find out why it's doing that.

Then you should sanity check the data going into the query. For numbers you could do
$SQL = 'SELECT * FROM table WHERE id BETWEEN ' . (int)$_GET['a'] . ' AND ' . (int)$_GET['b'];

where the "(int)" will convert the string into a number, removing any non-numeric letters.
For the strings you'd use the msql_real_escape_string function.
http://php.net/manual/en/function.mysql-real-escape-string.php
likeabreeze
Gregoric wrote:
It depends whether you have a protection against SQL injection attacks in your PHP script that operates on MySQL. You may want to read some articles on the topic and insert several lines of code to prevent such attacks. The code mainly ensures that the call that are made to you database do not contain commandns that would, for example, wipe your whole database or do something else.

Also, I would recommend you to use $_POST method instead of $_GET or $_REQUEST, but that is another topic Smile

jmraker wrote:
SQL injections can be bad, they can create/delete databases, or tables, or table data. They can also output a query to a file that they can download.

Before you fix it you should output the sql query that it's actually running to find out why it's doing that.

Then you should sanity check the data going into the query. For numbers you could do
$SQL = 'SELECT * FROM table WHERE id BETWEEN ' . (int)$_GET['a'] . ' AND ' . (int)$_GET['b'];

where the "(int)" will convert the string into a number, removing any non-numeric letters.
For the strings you'd use the msql_real_escape_string function.
http://php.net/manual/en/function.mysql-real-escape-string.php



Well, thx for your info.
But do you think my website can be SQL injected based on that result?
sonam
Yes it can. Like gregoric point out just use some SQL protection and you can use $_GET. Here is good example for mysql.

http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

Sonam
Marcuzzo
Dude, seriously, Never use $_GET values directly in your query.
in fact, leave out the $_GET and $_REQUEST all together, IMO you best use $_POST.

allways validate data before executing a query.

in terms of sql injection it all depends on what your code does.
if you allow to delete users or reset passwords in this way then you are in trouble.
if you only use it do display data then you should be OK, until a hacker finds the name of any table.

with SQL injection you can do anything and it is the coders responsibility to write secure code.

so the following situation is a big no no:

let's say you've got a form with username and password and you send these values to a script using the $_GET method

Code:

$q = "SELECT * FROM table WHERE table.username='" . $_GET['username'] . "' AND table.password='" . $_GET['password'] . "';";


say I have a username of "TEST_USER" and a password of "TEST_PWD", when submitting the form this would turn $q into:
Code:
SELECT * FROM table where table.username='TEST_USER' AND  table.password='TEST_PWD';


now let's try this:
Enter username: TEST_USER
enter password: BLA' OR 1=1

this will translate to:
Code:
SELECT * FROM table where table.username='TEST_USER' AND  table.password='BLA' OR 1=1';

and this is where you're F#sked!

haven't tested this but imagine I would enter the password:
Code:
BLA'; DROP TABLE table

bye bye table 'table'
Peterssidan
Don't really understand how some of you can recommend POST instead of GET without knowing what the page is used for. Each have their own purpose. GET is good if you want the parameters to be visible in the URL. It makes it easy to change the parameters manually and it allows you to link directly to the page. POST is usually better if you have a submit form, especially if it changes something in the database.

This page vt-156494.html is just a rewrite of viewtopic.php?t=156494 so it uses GET. If the forum had used POST the whole forum navigation would have to be done through submit buttons (or using AJAX) and it would be impossible to link to a specific thread the normal way.

Googlebot sometimes submit forms to find new pages, but only if GET is used. GET is supposed to get information from the server but not change anything.
Marcuzzo
Peterssidan wrote:
Don't really understand how some of you can recommend POST instead of GET without knowing what the page is used for. Each have their own purpose. GET is good if you want the parameters to be visible in the URL. It makes it easy to change the parameters manually and it allows you to link directly to the page. POST is usually better if you have a submit form, especially if it changes something in the database.

This page vt-156494.html is just a rewrite of viewtopic.php?t=156494 so it uses GET. If the forum had used POST the whole forum navigation would have to be done through submit buttons (or using AJAX) and it would be impossible to link to a specific thread the normal way.

Googlebot sometimes submit forms to find new pages, but only if GET is used. GET is supposed to get information from the server but not change anything.


I'm not saying GET is bad, GET should definitely be used where needed but I would definitely advise against using it directly in SQL statements.
Peterssidan
Marcuzzo wrote:
Peterssidan wrote:
Don't really understand how some of you can recommend POST instead of GET without knowing what the page is used for. Each have their own purpose. GET is good if you want the parameters to be visible in the URL. It makes it easy to change the parameters manually and it allows you to link directly to the page. POST is usually better if you have a submit form, especially if it changes something in the database.

This page vt-156494.html is just a rewrite of viewtopic.php?t=156494 so it uses GET. If the forum had used POST the whole forum navigation would have to be done through submit buttons (or using AJAX) and it would be impossible to link to a specific thread the normal way.

Googlebot sometimes submit forms to find new pages, but only if GET is used. GET is supposed to get information from the server but not change anything.

I'm not saying GET is bad, GET should definitely be used where needed but I would definitely advise against using it directly in SQL statements.

POST shouldn't be used directly in SQL statements either.
Marcuzzo
Peterssidan wrote:
Marcuzzo wrote:
Peterssidan wrote:
Don't really understand how some of you can recommend POST instead of GET without knowing what the page is used for. Each have their own purpose. GET is good if you want the parameters to be visible in the URL. It makes it easy to change the parameters manually and it allows you to link directly to the page. POST is usually better if you have a submit form, especially if it changes something in the database.

This page vt-156494.html is just a rewrite of viewtopic.php?t=156494 so it uses GET. If the forum had used POST the whole forum navigation would have to be done through submit buttons (or using AJAX) and it would be impossible to link to a specific thread the normal way.

Googlebot sometimes submit forms to find new pages, but only if GET is used. GET is supposed to get information from the server but not change anything.

I'm not saying GET is bad, GET should definitely be used where needed but I would definitely advise against using it directly in SQL statements.

POST shouldn't be used directly in SQL statements either.


let's not forget about $_REQUEST Very Happy
Peterssidan
Marcuzzo wrote:
Peterssidan wrote:
Marcuzzo wrote:
Peterssidan wrote:
Don't really understand how some of you can recommend POST instead of GET without knowing what the page is used for. Each have their own purpose. GET is good if you want the parameters to be visible in the URL. It makes it easy to change the parameters manually and it allows you to link directly to the page. POST is usually better if you have a submit form, especially if it changes something in the database.

This page vt-156494.html is just a rewrite of viewtopic.php?t=156494 so it uses GET. If the forum had used POST the whole forum navigation would have to be done through submit buttons (or using AJAX) and it would be impossible to link to a specific thread the normal way.

Googlebot sometimes submit forms to find new pages, but only if GET is used. GET is supposed to get information from the server but not change anything.

I'm not saying GET is bad, GET should definitely be used where needed but I would definitely advise against using it directly in SQL statements.

POST shouldn't be used directly in SQL statements either.

let's not forget about $_REQUEST Very Happy

Yes, and $_COOKIE too. Simply don't trust any information sent by the user's browser.
zimmer
that really depends on what platform are you using.
Related topics
How To : Secure Your PHP Website
Making Your Website Look Professional
I can't upload my Database SQL script ! Helllppppp!!!!
Save the Best Smileys Website
My Website / Clan in Runescape
My website config wotn come up.
Visual Studio 2005 and SQL Server 2005 Express, Free?
Awesome Forums for my website
CLAN |SA| - A Counter-Strike Source clan website
.sql problem
Equi Solar - Solar Equipments Website
PHP Includes Problem
PHP website with SQL Database.
First Website
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.