SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Addict greg76's Avatar
    Join Date
    Aug 2004
    Location
    Poland
    Posts
    262
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Angry PHP/MySQL security - q. bout existing website

    Dear All,

    I coded this site and programmed some stuff in PHP - my company is currently giving away this project (the company decided to maintenance it on their own - now they are interviewing some individuals)

    Spencers Crossing

    Today I was informed that the MySQL connection is totally not secure and the interest list (all peeps that register through register.php link) is wide open to a public.

    Can anybody see that stuff (if time allows) and tell me if the SQL connection can be read and changes to the DB can be made by anybody?!

    The same person (or maybe another one) pointed out the the 'My Backpack' feature was not save, simply hitting a 'submit' button without filling those two required fields could have logged in any person as XX XX: partially s/he was right, but my script was working as it should, comparing the entries with the DB ones, and there happened to be empty inserts, therefore the 'match operation' was true.

    Anyways, can anybody look at the stuff and tell me how insecure the DB connection is?

    Thank you!

    Cheers,
    ~g.

  2. #2
    SitePoint Zealot Coastal Web's Avatar
    Join Date
    Jan 2006
    Location
    Oregon, U.S.
    Posts
    131
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Greetings Greg,

    Sounds like you have a reason to be concerned. I took a look myself and attempted a few sql injections and didn't get any error reporting. (though it did seem like it let me register a user named ' (single quote). Did that one show up in your database? If so you may have a problem.

    Now l don't really have the time to sit around and try all the sql injection techinques in the book. Here's what would really make this go a little more quickly rather than sitting around "trying" to successfully inject an SQL command into the underlying database. Can you please post the method's that you use to sanitize the user input after it's been submitted; and let us critique it.

  3. #3
    SitePoint Guru mmarif4u's Avatar
    Join Date
    Dec 2006
    Location
    /dev/swat
    Posts
    619
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Greg,

    There are many ways to prevent this type of issues specially for db.
    Now you have the form for registration, where a user can enter any thing they want, it means that ur code is not secure, Any malicious user will destroy ur site.
    If that type of user accessed ur db than he can do any thing he want.
    Now come to the injection point.
    One thing u can filter user input before entring it to db.
    Use this:
    PHP Code:
    $name mysql_real_escape_string($_POST['name']); 
    mysql_real_escape_string will filter the data entered by user in the text box before submitting it to the db.

    Now other sol is to make a check for every required input that will not be empty,
    3rd use regex for some input where u want to ask a user for name, it mean that name consist of (A-Z,a-z,space).
    So if the user input digits it will give him/her error.

    Hope this will help.

  4. #4
    SitePoint Addict greg76's Avatar
    Join Date
    Aug 2004
    Location
    Poland
    Posts
    262
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Coastal Web,

    thank you for your reply.

    I have just checked the DB, and YES there is someone registered with '
    The point is that I run every entry through a 'save' script' and all instances of an apostrophe (') (among the others) is replaced with & # 3 9 ;

    so I have your entry more or less:
    2 ' ' ' test@test.com ' ' ' MA ' ' sales 2 2 3 2 2 2 1 1 3 2007-06-06 direct 3
    Oh, every appearance of ' is translated to & # 3 9 ; (no spaces, of course)

    (not gonna translate what each column means, though, )

    What say you?


    Thanks again!
    ~g.

  5. #5
    SitePoint Zealot Coastal Web's Avatar
    Join Date
    Jan 2006
    Location
    Oregon, U.S.
    Posts
    131
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So far sounds safe; to be sure your best bet would be to post the "save script" that you run each of the user input's through before inserting them into your database and let us take a look.

    Best regards,

  6. #6
    SitePoint Addict greg76's Avatar
    Join Date
    Aug 2004
    Location
    Poland
    Posts
    262
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by mmarif4u View Post
    user can enter any thing they want
    Hey mmarif4u,
    thank you for your input.

    Well, I run a protection script to escape dangerous characters, something like
    PHP Code:
    $inputVar eregi_replace("'""& # 3 9 ; "$inputVar);
    $inputVar preg_replace("/(\<script)(.*?)(script>)/si""""$inputVar");
    $inputVar strip_tags($inputVar);
    $inputVar str_replace(array("'","\"",">","<","\\"), ""$inputVar); 
    so a user cannot really enter whatever s/he wants.

    But SQL injection is not even a point here, I was told that the DB connection is wide open and anybody can put their hands directly on my MySQL database.

    I really don't know wheter I missed some very important point or the guy is just trying to be a smart *** and make himself look like a genius saying 'yeah, the previous guy screw this up'?!

    Help, help, help!!


    Thank you guys, for your inputs.
    Cheers,
    ~g.

  7. #7
    SitePoint Zealot Coastal Web's Avatar
    Join Date
    Jan 2006
    Location
    Oregon, U.S.
    Posts
    131
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It looks good to me (the sanitation checks you're running) - the only thing left to be seen to make sure is the actual INSERT statement, to see how you are delineating the different entries; but l'm sure you're using ' (single quote) like everyone else.

    As far as the fella telling you that the database itself is wide open; is confusing. Though l'm by no means a pro on this and l'm not trying to pretend that l am - l have dabbled a bit. To compromise the underlying database, the malicious user would need to execute an sql injection... by way of unsanitized user input. -- well unless you have like an un-password protected myphpadmin or something that is. As it sounds like you already know, but for others reading; normally this is done by terminating the initial sql statement and dropping a malicious statement behind it:

    for instance a recent exploit on a popular bulletin board software:
    http://[target]/[path]/userlistpre.php?list='%20UNION%20SELECT%20pass,0,0,0%20FROM%20vbb_user%20WHERE%0name='[admin_name]'/*

    If l'm completely wrong, will a pro please step in and correct me?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •