Thread: Have been hacked ????
View Single Post

  #4 (permalink)  
Old 11-15-2004
Chris Hope
 
Posts: n/a
Default Re: Have been hacked ????
Bob Bedford wrote:

> Thanks for your reply Michael.
>
>>>I've my local code and would like to know if my code is open for hackers.
>>>I'd like to see if it's possible to drop a database by simply insert
>>>mysql statement in any field (text box or anything). Does anybody know
>>>how to check ?
>>
>> Google for (Advanced) SQL Injection.
> I can't check the injection technique: here is my code:
> $colname_Recordset1 = $HTTP_POST_VARS['User'];
> $colname_Recordset2 = $HTTP_POST_VARS['Pass'];
> $query_Recordset1 = "SELECT * FROM person WHERE User =
> \"$colname_Recordset1\" AND Pass = \"$colname2_Recordset1\";";
>
> I insert this (user/pass):
> " OR 1="1
> " OR 1="1
> Now, the query result is:
> SELECT * FROM person WHERE User = "\" OR 1=\"1" AND Pass = "\" OR 1=\"1";
>
> How to be sure it can't be hacked ?

You can *never* *ever* trust data that comes from a post, a get or a cookie,
and must *always* escape quotes in strings (or use database libraries that
do it for you with placeholders in the queries, or via the use of stored
procedures if the DBMS supports them).

So in your example above, you should be doing the following:

$colname_Recordset1 = addslashes($HTTP_POST_VARS['User']);
$colname_Recordset2 = addslashes($HTTP_POST_VARS['Pass']);

OR

$colname_Recordset1 = mysql_escape_string($HTTP_POST_VARS['User']);
$colname_Recordset2 = mysql_escape_string($HTTP_POST_VARS['Pass']);

OR

$colname_Recordset1 = mysql_real_escape_string($HTTP_POST_VARS['User']);
$colname_Recordset2 = mysql_real_escape_string($HTTP_POST_VARS['Pass']);

If it's an integer value you are expecting then cast it as one like so:

$trusted_integer_value = (int)$HTTP_POST_VARS['untrusted_value'];

If you don't do this, someone may be able to figure out how to modify the
query by passing a quote character (especially if any errors such as the
query itself are output to the web page in the event of an error), end the
query so it is valid, and then start another query which deletes all data
from the table, or something else similar.

--
Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/
Reply With Quote