Page 1 of 1

So what protects PHP from "PHP injection attacks"?

Posted: Fri Oct 16, 2009 4:11 pm
by Glowing Face Man
Hi everyone, new to the boards.

I was just wondering, why isn't php injection a danger like SQL injection is?

We all know, if you put in a line like

Code: Select all

$query=mysql_query("SELECT * FROM list WHERE name='".$_GET["name"]."'");
then people can screw you up by sending, say,
'; DELETE FROM list
as the "name" :|

But what I'm wondering is, why are SQL query strings the only place where this security issue comes up?
In the above example, what if someone sent the following name variable:
'"); unlink("index.php

Why wouldn't that also screw you up?

Re: So what protects PHP from "PHP injection attacks"?

Posted: Fri Oct 16, 2009 4:26 pm
by John Cartwright
mysql_query() only can run one query at a time, this is a design feature. However, you always want to pass your input through mysql_real_escape_string() or cast to an integer.
But what I'm wondering is, why are SQL query strings the only place where this security issue comes up?
In the above example, what if someone sent the following name variable:
'"); unlink("index.php
It will not evaluate PHP, it is only sending an SQL string to mysql.

Re: So what protects PHP from "PHP injection attacks"?

Posted: Fri Oct 16, 2009 4:26 pm
by Eric!
It is vunerable like SQL. But it's called cross site scripting (XSS).

Here's a quick example

Say you have an echo like this on your page
echo $_SERVER['PHP_SELF]; // no filtering of the user data

And someone goes to your page with
http://example.com/testpage.php?%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E

They get to run their stuff on your server. (In this example a harmless <script>alert('xss')</script> ) But they can steal session data or do other nasty things.

Re: So what protects PHP from "PHP injection attacks"?

Posted: Fri Oct 16, 2009 6:46 pm
by Christopher
First, you should at minimum do:

Code: Select all

$query=mysql_query("SELECT * FROM list WHERE name='".mysql_real_escape_string($_GET["name"])."'");
No variable should go into SQL without being escaped. That gets rid of people trying to close a quote and inject SQL.
Glowing Face Man wrote:But what I'm wondering is, why are SQL query strings the only place where this security issue comes up?
In the above example, what if someone sent the following name variable:
'"); unlink("index.php

Why wouldn't that also screw you up?
That would not be a valid variable name. HTTP and PHP would change it. The other big injection problem is user submitted values that contain HTML -- especially Javascript.

Re: So what protects PHP from "PHP injection attacks"?

Posted: Sat Oct 17, 2009 9:02 am
by kaisellgren
By "PHP Injection Attacks", you are probably referring to RCE (i.e., Remote Code Execution). That can't happen in the code you have shown us. Try yourself if you don't believe me. However, something like this would be obviously vulnerable to RCE attacks:

Code: Select all

<?php
 
exec($_GET['e']);
Usually situations are not this simple when RCE vulnerabilities are found. Search Google for "php remote code execution vulnerability" if you like to see where these problems often occur.

Re: So what protects PHP from "PHP injection attacks"?

Posted: Mon Oct 19, 2009 2:52 am
by Mordred
A small "visualization" aid in the matter:
(Unescaped) user input in a function that executes SQL queries --> SQL injection
(Unescaped) user input in a function that outputs html --> XSS
(Unescaped) user input in a function that executes PHP code --> Code execution
(etc)

Re: So what protects PHP from "PHP injection attacks"?

Posted: Fri Oct 23, 2009 9:22 am
by TheOnly92
Well, basically you don't take user's input and execute it as PHP codes, so you won't have to worry about "PHP injections". Unless you do something like eval($_POST['blabla']) and now that could be dangerous.