SQL injection vulnerabilities in PHP code

Here you can find plenty of help with your general coding needs and projects
If it is about a specific program, use the corresponding forum
DO NOT ask basic questions such as "How do I print a variable", use Google for that

SQL injection vulnerabilities in PHP code

Postby ScratchMonkey » Fri Jan 19, 2007 8:25 pm

PHP versions prior to 6 have a basic guard against injection attacks that attempts to escape "dangerous characters". This guard is called "magic quotes". It's an optional setting, so your hosting provider may have it turned off. Starting with version 6, this protection is removed, as it's caused a lot of problems for coders. So you should be rethinking your input validation to ensure compatibility and security when you upgrade your PHP platform.

http://www.tizag.com/phpT/php-magic-quotes.php

Here's how SQL injection attacks work:

http://www.unixwiz.net/techtips/sql-injection.html
User avatar
ScratchMonkey
WR.net Expert
WR.net Expert
 
Posts: 212
Joined: Wed Jul 05, 2006 4:32 pm
Location: San Pablo, CA

SQL injection vulnerabilities in PHP code

Postby zeryl » Fri Jan 19, 2007 11:11 pm

Most if not all queries are escaped in the wowdb layer. This helps TONS against sql injection.
User avatar
zeryl
WoWRoster.net Dev Team
WoWRoster.net Dev Team
 
Posts: 194
Joined: Tue Jul 04, 2006 12:59 pm
Location: Saint Louis

SQL injection vulnerabilities in PHP code

Postby zanix » Fri Jan 19, 2007 11:12 pm

Plus Roster code (since 1.7.1) detects magic quotes and escapes all global strings if it is off
Read the Forum Rules, the WiKi, and Search before posting!
WoWRoster v2.1 - SigGen v0.3.3.523 - WoWRosterDF
User avatar
zanix
Admin
Admin
WoWRoster.net Dev Team
WoWRoster.net Dev Team
UA/UU Developer
UA/UU Developer
 
Posts: 5543
Joined: Mon Jul 03, 2006 8:29 am
Location: Idaho Falls, Idaho
Realm: Doomhammer (PvE) - US

SQL injection vulnerabilities in PHP code

Postby MattM » Fri Jan 19, 2007 11:20 pm

am i right that as long as you escape all single and/or double quotes, then injection is impossible?
MattM
UA/UU Developer
UA/UU Developer
Gimpy Developer
Gimpy Developer
 
Posts: 886
Joined: Tue Jul 04, 2006 9:53 pm
Location: USA

SQL injection vulnerabilities in PHP code

Postby zanix » Fri Jan 19, 2007 11:22 pm

Not impossible, but it reduces it by a s#it tonne, lol
Read the Forum Rules, the WiKi, and Search before posting!
WoWRoster v2.1 - SigGen v0.3.3.523 - WoWRosterDF
User avatar
zanix
Admin
Admin
WoWRoster.net Dev Team
WoWRoster.net Dev Team
UA/UU Developer
UA/UU Developer
 
Posts: 5543
Joined: Mon Jul 03, 2006 8:29 am
Location: Idaho Falls, Idaho
Realm: Doomhammer (PvE) - US

SQL injection vulnerabilities in PHP code

Postby ScratchMonkey » Fri Jan 19, 2007 11:23 pm

Queries in search.php didn't seem to be escaped, but I didn't follow them down into the wowdb layer. That's what prompted me to post this.

In 1.7.2, I don't see where wowdb::query() invokes escape(). Bug in search.php or wowdb.php, or am I just missing the right piece of code?
User avatar
ScratchMonkey
WR.net Expert
WR.net Expert
 
Posts: 212
Joined: Wed Jul 05, 2006 4:32 pm
Location: San Pablo, CA

SQL injection vulnerabilities in PHP code

Postby ScratchMonkey » Fri Jan 19, 2007 11:26 pm

Matt, best practices in untrusted input are to specify what you accept, not what you exclude. Escaping is really the latter. When you do that, it's much harder to prove that you're safe. But it at least cuts your exposure.
User avatar
ScratchMonkey
WR.net Expert
WR.net Expert
 
Posts: 212
Joined: Wed Jul 05, 2006 4:32 pm
Location: San Pablo, CA

SQL injection vulnerabilities in PHP code

Postby PleegWat » Sat Jan 20, 2007 6:19 am

All GET, POST, COOKIE data gets escaped in settings.php (Since 1.7.1, I think). The rest of roster has been modified to assume those variables are already escaped.

The current philosophy for R2 uses queries with parameter binding everywhere. This doesn't mean the base queries are completely given as string literals, but only the table names would be added in. The query parameters (mainly WHERE conditions) that are currently the ones we've got to watch out to escape properly, are passed to MySQLi separately, so there is no risk of SQL insertion there.
I <3 /bin/bash
User avatar
PleegWat
WoWRoster.net Dev Team
WoWRoster.net Dev Team
 
Posts: 1636
Joined: Tue Jul 04, 2006 1:43 pm


Return to General Code Help

Who is online

Users browsing this forum: No registered users and 0 guests

cron