not quoting before running this query - insecure?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

not quoting before running this query - insecure?

Post by Luke »

is there a vulnerability by doing this?

Code: Select all

$db->select("SELECT * FROM table WHERE username = " . $unescaped_user_input);
Is it just when data is saved to a database that it can be harmful?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Code: Select all

$unescaped_user_input = "''; delete from table where 1";

$db->select("SELECT * FROM table WHERE username = " . $unescaped_user_input);
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

:oops: thanks

So it needs to be filtered, but is escaping it necessary?

EDIT: Wait escaping those quotes would prevent that, huh?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

d11wtq wrote:

Code: Select all

$unescaped_user_input = "''; delete from table where 1";

$db->select("SELECT * FROM table WHERE username = " . $unescaped_user_input);
That won't work because mysql_query will not execute multiple queries.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

yea I tried it and couldn't get it to work, but I figured I did something wrong (because 99% of the time, that is the case)
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

Code: Select all

$data = "'' OR 1 = 1";
= auto login.

Not to mention on most systems the first ID will be the admin's id, thus if any privileges are selected.. you'll have admin powers.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

I would create a validation class that validates common post variables. You can then use the same class for everything, ie the signup form, lost password form, login form, etc.. This gives you several layers of protection.

Code: Select all

$validate = new validation($unescaped_user_input);

try {
    if (!$validate->username) throw new Exception("Invalid Username.");
    $db->select("SELECT * FROM `table` WHERE `username`='" . mysql_real_escape_string($unescaped_user_input) . "' LIMIT 1");
} catch (Exception $e)
{
    echo $e->getMessage();
}
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

can't get that to work either (not saying it isn't true... more that i suck at hacking)
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

astions wrote:I would create a validation class that validates common post variables. You can then use the same class for everything, ie the signup form, lost password form, login form, etc.. This gives you several layers of protection.

Code: Select all

$validate = new validation($unescaped_user_input);

try {
    if (!$validate->username) throw new Exception("Invalid Username.");
    $db->select("SELECT * FROM `table` WHERE `username`='" . mysql_real_escape_string($unescaped_user_input) . "' LIMIT 1");
} catch (Exception $e)
{
    echo $e->getMessage();
}
well I already do that... I was merely wondering whether or not mysql_real_escape_string is necessary in this case
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Code: Select all

SELECT * FROM table WHERE username = 'blah' OR 1 = 1;
That should work, the ' probably threw it off.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

strangely enough, it doesn't. and neither does

Code: Select all

select * from Users WHERE username='blah' or user_id = 1;
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

hey all,
I think there is some misunderstanding here as to what escaping and validation really is.

ESCAPING is to prepare a given content to work/present itself adequately in given context (db,html whatever).

ESCAPING(preparing WHATEVER data to be savely introduced to given context) has absolutely nothing todo with validation(data we would consider harmuful to our application at some point).


so when you want to store/select data in DB for example, you just need to escape it (only realiable way is either using mysql_real_escape_string() or prepared queries)...otherwise you fail to ensure your data will wholly/unchanged go into a database and you may experience failed/injected sql query.

Another example(for other context) is using htmlentities to properly introduce whatever data to html context.

No whether this data is valid for your application....it is up to you to decide...whethear or not so...you escape data to fit correctly into its new context.
Post Reply