SQL injection

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
abalfazl
Forum Commoner
Posts: 71
Joined: Mon Sep 05, 2005 10:05 pm

SQL injection

Post by abalfazl »

Hello!
It should also be noted that escaping the data is a useless precaution unless you encapsulate ALL submitted fields in quotation marks, including suspected numeric data. MySQL does not force you to wrap your numbers in quotes, but it MUST be done to keep users from injecting code.

Code: Select all

$new_num = $_POST['new_num'];
 
// SECURITY RISK
mysql_query("UPDATE user_info SET icq_num=$new_num WHERE my_num=1");
 
// better
mysql_query("UPDATE user_info SET icq_num='$new_num' WHERE my_num='1'");
 
It is actually better to use option 2 anyway because MySQL takes longer to process unquoted arguments in some cases. A good example is when you do a search against a character field using a non-quoted number, much like the first example above (no idea why though).

This is correct as of MySQL 4.0.13.
Why this is better?icq_num='$new_num'

Please give me example about this:
What happened if I don't use ' around $new_num?
User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

Re: SQL injection

Post by JAB Creations »

All you have to do to prevent a MySQL injection is strip slashes...

Code: Select all

$username = mysql_real_escape_string($_POST['username']);
abalfazl
Forum Commoner
Posts: 71
Joined: Mon Sep 05, 2005 10:05 pm

Re: SQL injection

Post by abalfazl »

hi


http://www.webappsec.org/projects/artic ... 7.shtml#pb

4. Integer values

---------[ Example 3. (viewprofile.php) ]------------
$userid = isset($_GET['id']) ? $_GET['id'] : 0;
$userid = mysql_real_escape_string($userid);
RunQuery("SELECT userid, username FROM sql_injection_test
WHERE userid=$userid");
---------[ Tests: ]------------------------------
1. id=0
2. id=1
3. id=2
4. id=3
5. id='
6. id=0 or 1
7. id=0 UNION ALL SELECT userid, CONCAT(username, ' ', password)
FROM sql_injection_test WHERE 1
8. id=0 UNION ALL SELECT userid, CONCAT(username, CHAR(32), password)
FROM sql_injection_test WHERE 1
--------------------------------------------------

Example 3 accepts a numeric parameter, userid, and displays information about that user. The first four tests as before demonstrate how the script is expected to behave, and the 5th test shows that even the escaped parameter can raise an error. The trouble here is that the query assumes that the parameter will be integer and so is written without quotes. The attacker, though, doesn't need a "breaking quote", as whatever he enters goes directly to the query to be interpreted as SQL syntax. Test 6 manipulates the WHERE clause into returning all user records. As we can see from 7, mysql_real_escape_string() prevents the success of injected queries that include quotes. Any such query can be rewritten in a way as not to use quotes though, so test 8 succeeds where 7 failed.

Another question:
You may use stored procedures and previously defined cursors to abstract data access so that users do not directly access tables or views, but this solution has another impacts.
What are stored procedures and previously defined cursors?
Post Reply