Have been hacked ????

My database suddently dissapeared from my ISP. I've logged in and the
database doesn't exist anymore.

I don't know anything about website hacking, so my code is possibly open for
hackers.

I've my local code and would like to know if my code is open for hackers.
I'd like to see if it's possible to drop a database by simply insert mysql
statement in any field (text box or anything). Does anybody know how to
check ?

Bob

.oO(Bob Bedford)

>I've my local code and would like to know if my code is open for hackers.
>I'd like to see if it's possible to drop a database by simply insert mysql
>statement in any field (text box or anything). Does anybody know how to
>check ?

Google for (Advanced) SQL Injection.

Micha

Thanks for your reply Michael.

>>I've my local code and would like to know if my code is open for hackers.
>>I'd like to see if it's possible to drop a database by simply insert mysql
>>statement in any field (text box or anything). Does anybody know how to
>>check ?
>
> Google for (Advanced) SQL Injection.
I can't check the injection technique: here is my code:
$colname_Recordset1 = $HTTP_POST_VARS['User'];
$colname_Recordset2 = $HTTP_POST_VARS['Pass'];
$query_Recordset1 = "SELECT * FROM person WHERE User =
\"$colname_Recordset1\" AND Pass = \"$colname2_Recordset1\";";

I insert this (user/pass):
" OR 1="1
" OR 1="1
Now, the query result is:
SELECT * FROM person WHERE User = "\" OR 1=\"1" AND Pass = "\" OR 1=\"1";

How to be sure it can't be hacked ?

Bob Bedford wrote:

> Thanks for your reply Michael.
>
>>>I've my local code and would like to know if my code is open for hackers.
>>>I'd like to see if it's possible to drop a database by simply insert
>>>mysql statement in any field (text box or anything). Does anybody know
>>>how to check ?
>>
>> Google for (Advanced) SQL Injection.
> I can't check the injection technique: here is my code:
> $colname_Recordset1 = $HTTP_POST_VARS['User'];
> $colname_Recordset2 = $HTTP_POST_VARS['Pass'];
> $query_Recordset1 = "SELECT * FROM person WHERE User =
> \"$colname_Recordset1\" AND Pass = \"$colname2_Recordset1\";";
>
> I insert this (user/pass):
> " OR 1="1
> " OR 1="1
> Now, the query result is:
> SELECT * FROM person WHERE User = "\" OR 1=\"1" AND Pass = "\" OR 1=\"1";
>
> How to be sure it can't be hacked ?

You can *never* *ever* trust data that comes from a post, a get or a cookie,
and must *always* escape quotes in strings (or use database libraries that
do it for you with placeholders in the queries, or via the use of stored
procedures if the DBMS supports them).

So in your example above, you should be doing the following:

$colname_Recordset1 = addslashes($HTTP_POST_VARS['User']);
$colname_Recordset2 = addslashes($HTTP_POST_VARS['Pass']);

OR

$colname_Recordset1 = mysql_escape_string($HTTP_POST_VARS['User']);
$colname_Recordset2 = mysql_escape_string($HTTP_POST_VARS['Pass']);

OR

$colname_Recordset1 = mysql_real_escape_string($HTTP_POST_VARS['User']);
$colname_Recordset2 = mysql_real_escape_string($HTTP_POST_VARS['Pass']);

If it's an integer value you are expecting then cast it as one like so:

$trusted_integer_value = (int)$HTTP_POST_VARS['untrusted_value'];

If you don't do this, someone may be able to figure out how to modify the
query by passing a quote character (especially if any errors such as the
query itself are output to the web page in the event of an error), end the
query so it is valid, and then start another query which deletes all data
from the table, or something else similar.

--
Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/

.oO(Bob Bedford)

>Thanks for your reply Michael.
>
>>>I've my local code and would like to know if my code is open for hackers.
>>>I'd like to see if it's possible to drop a database by simply insert mysql
>>>statement in any field (text box or anything). Does anybody know how to
>>>check ?
>>
>> Google for (Advanced) SQL Injection.
>I can't check the injection technique: here is my code:
>$colname_Recordset1 = $HTTP_POST_VARS['User'];

Use $_POST instead, the old $HTTP_*_VARS arrays are deprecated.

>$colname_Recordset2 = $HTTP_POST_VARS['Pass'];
>$query_Recordset1 = "SELECT * FROM person WHERE User =
>\"$colname_Recordset1\" AND Pass = \"$colname2_Recordset1\";";

Use single quotes around strings in a query. Double quotes are a MySQL
extension to the SQL standard and might not work on all systems.

>I insert this (user/pass):
>" OR 1="1
>" OR 1="1
>Now, the query result is:
>SELECT * FROM person WHERE User = "\" OR 1=\"1" AND Pass = "\" OR 1=\"1";

Looks like PHP's magic quotes take effect, but I wouldn't rely on that.

In fact in my code I use a kind of input filter function to remove the
magic quotes before my application code gets its hands on the data. This
way I can do all the necessary escaping stuff on my own and don't have
to rely on a particular configuration setting.

>How to be sure it can't be hacked ?

Most important rule: Never trust any user-submitted data. Never.
Everything(!) that comes in via GET or POST can be manipulated.
Really everything, even the content of hidden or read-only form fields.

Before using a user-submitted data in a query think about what values
are allowed and validate/adjust accordingly:

* If the field is numeric it's pretty simple, use intval() for casting
to an integer or something like that.

* If one value from a given set of values is allowed, store all allowed
values in an array and use in_array() to check if the submitted value is
an allowed one.

* Strings are a bit more difficult. With MySQL it should be enough to
run the submitted data through mysql_escape_string(), this will escape
all special characters like single quotes. First check the setting of
the magic quotes with get_magic_quotes_gpc() to avoid double escaping.

It would make sense to write some simple functions for handling the
data, so you don't have to write the validation code again and again.

Second important rule: Even if the data made it successfully into the
database doesn't mean the danger is over. Whenever you fetch some data
from your db to re-use it in another query validate again. Otherwise an
attacker might be able to inject code that doesn't work on the first
insert, but on the re-using of the data (second-order SQL injection).

HTH
Micha

Dont know if i am missing something here as i'm a bit of a PhP/SQL
newb but here goes:

Surely if the correct permissions are given to the web user,
tables/databases cannot be dropped?

The account on my machine which is used by webusers is restricted to
select, update, delete etc and drop is most certainly not allowed!

Stop me if i'm missing something obvious :)

Lozarythmic wrote:

> Dont know if i am missing something here as i'm a bit of a PhP/SQL
> newb but here goes:
>
> Surely if the correct permissions are given to the web user,
> tables/databases cannot be dropped?
>
> The account on my machine which is used by webusers is restricted to
> select, update, delete etc and drop is most certainly not allowed!
>
> Stop me if i'm missing something obvious :)

Even if you don't have rights to drop a table, you can still do a lot of
damage with delete rights. delete * from tablename is pretty damaging...

--
Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/