SQL injection?

[callumacrae]

Hi,

http://paperhub.x10hosting.com/links.php

I have been told that it would be quite easy to do an SQL injection on this page.

Does anyone know if this is true, and if it is how would I fix it?

~Callum

[marshian]

I tried a couple of possible exploits, but I don't think any of them worked (however, I could be wrong too). What you should pay attention for sql injections to is every variable that goes in your query. For example with the order by: if $_GET["o"] is not equal to "asc" or "desc", don't use the value in your query. Pay special attention to strings that are actually dependant on user input, such as usernames. If such variables are used in your query, ALWAYS use mysql_escape_string on them, to make sure all special characters in sql are escaped.

Example:

PHP Code:

$query = "SELECT * FROM `users` WHERE `login`= '".mysql_escape_string($_GET["login"])."'"; 


[descalzo]

I have been told that it would be quite easy to do an SQL injection on this page.

Does anyone know if this is true, and if it is how would I fix it?

~Callum

The front end (ie the page with the fields) tells you nothing about the security of the script.

As marshian points out, never trust input submitted over the web. Check it for unsafe characters. Check it for length. Check it for acceptable values.

[slacker3]

(visited only http://paperhub.x10hosting.com/links.php )

My suggestion would be to use POST instead of GET in every form, and to use pre-fabricated query's (if possible).

eg.

PHP Code:

if ( POST_ob == name && POST_o == asc)
   // query, no variables in here
else
if ( POST_ob == added && POST_o == desc)
   // query, no variables in here
else
... 


(ugly pseudo code)

escape every user input (it couldn't hurt to escape your output, too..)


easy and cheap solution :P

[misson]

Better yet, use a DB driver (such as PDO) that supports prepared statements, which aren't vulnerable to SQL injection. You still have to consider other types of injection attacks, such as XSS.

[vishal]

My suggestion ,WE prevent SQL injections as opposed to binary, is to use URL Encoding or Hex Encoding.
I haven't seen a complete example of stopping SQL Injections, most refer to use the mysql_real_escape_string function or param statements.

[callumacrae]

So is this better:

Code:

<?php
if(isset($_GET['ob']) && isset($_GET['o']) && (($_GET['o'] == "asc") || ($_GET['o'] == "desc")) && (($_GET['ob'] == "name") || ($_GET['ob'] == "added") || ($_GET['ob'] == "date")))
{
$sql = "SELECT * FROM `links` ORDER BY `{$_GET['ob']}` {$_GET['o']}";
}else{
$sql = "SELECT * FROM `links` ORDER BY `Name` ASC";
}
$result = mysqli_query($cxn,$sql) or die("SQL failed");
$num = 1;
while ($row = mysqli_fetch_array($result))
{
extract($row);
echo "<a href=\"$Link\"><b>$Name</b></a><br /><p>$Description</p><p style=\"font-size:7pt\">Added by $added at $Date</p><br />";
$num++;
} 
?>

Thanks for helping

~Callum

[marshian]

Yes, that code cannot create a query with any values different than legit ones. Very good
Make sure your search function is as safe as this one and you'll be sql-injection-free.

[callumacrae]

My search boxes are written by google and phpbb, so I'm kinda hoping they're secure

Thanks again,
~Callum

[slacker3]

My search boxes are written by google and phpbb, so I'm kinda hoping they're secure

Thanks again,
~Callum

They should be fine.

You can test the most common SQL(or XSS)-injection attacks against your forms automatically
with the firefox-extension "SQL Inject-Me" (or "XSS-me") which is part of the "Exploit-Me" Suite.

List of useful Firefox Extensions on my site. (the last one in "Security auditing")