Page 1 of 1

php Code - Help needed

Posted: Wed May 28, 2008 1:34 pm
by smruthi
Hi All,

I am in need of an urgent help. One of the companies puting a court case against me saying the following code i wrote in 2006 was the ONLY reason for server crash with another 194 sites in the same server. The following was the code i wrote

---------------------------------------------------------------------------------------------------------------------------------------------------
function update_region($id,$regname,$regcom)
{
$query = "UPDATE region_mast SET region_name = '". $regname."',region_comments = '". $regcom."' WHERE region_id =" .$id;
mysql_query($query);
...
---------------------------------------------------------------------------------------------------------------------------------------------------
and they say the following way i should have written the code and it would have been 100% safe from SQL injection attacks. Is their claim correct ?
----------------------------------------------------------------------------------------------------------------------------------------------------
function update_region($id,$locname,$loccom)
{
$id = intval($id);
$locname = mysql_escape_string($locname);
$loccom = mysql_escape_string($loccom );
$query = "UPDATE location_mast SET location_name = '". $locname."',location_comments = '". $loccom."' WHERE location_id =" .$id;
mysql_query($query);
...
---------------------------------------------------------------------------------------------------------------------------------------------------

I deeply appreciate your quick advise.

Best Regards
Smruthi

Re: php Code - Help needed

Posted: Wed May 28, 2008 1:50 pm
by califdon
Other people here are more expert at security issues than me, but since you have an urgent need and nobody else has responded yet, I'll give you my opinion:

Using mysql_escape_string() function is indeed the proper way to avoid SQL injection (or at least one way).

I am even less qualified to speak about legal issues than security issues, but strictly as a private opinion, I am skeptical that the company has a solid legal case, unless they can prove (through server logs) that it was actually a SQL injection via your script that caused their server crash. I'm assuming that you were an employee of this company, since I can't imagine a web hosting company suing one of its customers. If you were their employee, they might have trouble proving that it was not their own negligence in properly training you, that contributed to the crash. And if they can actually prove that it was your script that caused the crash, then they have to prove that it caused specific damages to them. If they lost valuable data or lost revenue because their server was down, they might have provable damages.

Edit: Re-reading your post, it sounds like perhaps you were not an employee, but a customer of a hosting company. If that's the case, I would think there's even more of a defense, in that they would probably share the responsibility for security issues, in the design of their networks. Unless you purposely created the crash, which you obviously didn't, I would think their case is very weak. If there were risks, they should have warned you in their Terms of Service.

In any case, I would advise you to immediately find a lawyer who has experience with technical litigation.

Good luck.

Re: php Code - Help needed

Posted: Wed May 28, 2008 2:12 pm
by matthijs
There are many ways in which an sql injection attack can take place. Read the unexpected sql injection.

In many, but not all situations (see article!), using mysql_real_escape-string() will prevent injection.

About the case: seems strange they sue you for (maybe) making a mistake in your code. If they are successful, let me know so I can ask their lawyers to sue Microsoft for me for all the errors in Windows which have caused me so much trouble..

Re: php Code - Help needed

Posted: Wed May 28, 2008 2:53 pm
by califdon
matthijs wrote:There are many ways in which an sql injection attack can take place. Read the unexpected sql injection.

In many, but not all situations (see article!), using mysql_real_escape-string() will prevent injection.
Ahh! I knew someone would come along with a better technical answer. Thanks, matthijs.
About the case: seems strange they sue you for (maybe) making a mistake in your code. If they are successful, let me know so I can ask their lawyers to sue Microsoft for me for all the errors in Windows which have caused me so much trouble..
:rofl:

Re: php Code - Help needed

Posted: Wed May 28, 2008 3:12 pm
by matthijs
Don't thank me, thank Mordred for writing that great article. It's a must read for anyone even thinking about using mysql. The article even provides some example code which you can run on your testserver to see for yourself what happens in the different situations. very educational.

Re: php Code - Help needed

Posted: Wed May 28, 2008 4:02 pm
by Mordred
califdon made a very solid point on behalf of your liability (though you are still advised to consult a lawyer)

From a technical point of view, that code may or may not be vulnerable, depending on the life cycle of the function parameters. While the provided "100% safe from SQL injection attacks" code indeed is, the original snippet may still be protected - either intentionally, or by circumstances (sometimes doing wrong things still produces protected code, maybe I should write an article on that as well ;) )

Additionally, even a successfull injection into this query should at most insert some arbitrary data in the database. It shouldn't affect other users or the whole hosting server. Unless it's some kind of DOS attack, which in most cases is recoverable. Press the hosting company for more technical information on the "server crash". I'm very interested in what will come out of this, so please come back and tell your story (and I hope it will be in your advantage)

(also, thanks for the compliments, guys, appreciated:))

Re: php Code - Help needed

Posted: Thu May 29, 2008 7:41 am
by Verminox
I may be wrong here, but I don't think you could be held responsible for causing a server crash because of SQL vulnerabilities. If somebody manages to exploit the vulnerabilities then your site will get compromised, but the shared web host should have made proper arrangements so that the rest of their server is not affected by what you do. As califdon said, re-read the terms of service you signed before hosting your site, and consult a lawyer immediately.

PS: What country are you from? The law varies from country to country. Smruthi sounds like an Indian name, and I've never heard of a web hosting company prosecuting a customer for such reasons here in India before. Get a good lawyer who is knowledgable in this field.

Re: php Code - Help needed

Posted: Thu May 29, 2008 8:46 am
by VladSun
Verminox wrote:If somebody manages to exploit the vulnerabilities then your site will get compromised, but the shared web host should have made proper arrangements so that the rest of their server is not affected by what you do.
++

Re: php Code - Help needed

Posted: Thu Jun 05, 2008 2:56 pm
by Frozenlight777
This is very interesting. Wasn't sure it was possible to be sued for writing vulnerable code. Isn't all code vulnerable to attacks some way or another? Seems like there should have been some form of scheduled back ups.

Re: php Code - Help needed

Posted: Thu Jun 05, 2008 8:06 pm
by califdon
Frozenlight777 wrote:This is very interesting. Wasn't sure it was possible to be sued for writing vulnerable code. Isn't all code vulnerable to attacks some way or another? Seems like there should have been some form of scheduled back ups.
Again with the stipulation that I'm not an attorney, but I've often heard it said that anyone can sue anyone else for anything at any time -- whether they can win the case is an entirely different question. Still, whenever you are sued, especially by a company that has or can hire lawyers, you need to seek professional legal advice immediately, to protect your interests. That said, I think the basis for a suit such as was described by the first poster is very weak. Probably a lot would depend on what written agreements might exist between the programmer and whoever is trying to sue him or her. A common practice in consulting, for example, is to include a clause that says something like, "This software is provided with no warranty against any kind of loss or damage resulting from its use." In this case, it sounds like a web hosting service is threatening to sue one of its customers for running software that allegedly caused a system-wide outage. That sounds technically unlikely to me, but even if it is accurate, I think there would have had to be something in their Terms of Service that defined such a liability. Again, though, nobody should take my legal advice, I'm only engaging in a discussion.

Re: php Code - Help needed

Posted: Thu Jun 05, 2008 8:19 pm
by Benjamin
smruthi wrote:
I am in need of an urgent help. One of the companies puting a court case against me saying the following code i wrote in 2006 was the ONLY reason for server crash with another 194 sites in the same server. The following was the code i wrote
In your defense the code you posted was only vulnerable to MySQL injection because magic_quotes_gpc were not turned on in the php.ini file, which would have been the responsibility of the server administrator.

With magic_quotes_gpc disabled, your code became vulnerable to query injection because the data was not escaped using mysql_real_escape_string()

Re: php Code - Help needed

Posted: Fri Jun 06, 2008 2:42 am
by vspin
smruthi wrote:Hi All,

I am in need of an urgent help. One of the companies puting a court case against me saying the following code i wrote in 2006 was the ONLY reason for server crash with another 194 sites in the same server. The following was the code i wrote.. ..and they say the following way i should have written the code and it would have been 100% safe from SQL injection attacks. Is their claim correct ?
As stated by califdon, seek legal advice. However..

1. The reason the server crashed was because of a hacker.
2. This shared hosting company's disregard to security is shocking. Sounds like they gave all customers SA privileges, which would be absolutely ridiculous..
3. Your code was open to SQL Injections, but it SHOULD have only effected you.


Good luck and keep us posted.