A stupid question about SQL injection attacks in PHP....

  • RedBMedia
  • Proficient
  • Proficient
  • User avatar
  • Posts: 315

Post 3+ Months Ago

So up until this point I have been using mysql_real_escape_string() to clean incoming data before it hits the DB. But, when looking back at my code I have noticed for some reason I only used it when the sql statement was inserting data. Now I have looked at this example and they use mysql_real_escape_string() even when selecting data. So, do I need to go back and change all my code? & include mysql_real_escape_string() when selecting from the DB as well?
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13504
  • Loc: Florida

Post 3+ Months Ago

Every query you have that has a section which was built using data submitted by the user, needs to be screened. Every query, SELECT, INSERT, DELETE, etc. Every one.

Data submitted by the user includes (but isn't limited to) $_GET, $_POST, and $_COOKIE variables, as well as variables that you might not realize are coming from the user at first glance, such as $_SERVER["HTTP_REFERER"] or $_SERVER["HTTP_ACCEPT_LANGUAGE"]
  • RedBMedia
  • Proficient
  • Proficient
  • User avatar
  • Posts: 315

Post 3+ Months Ago

joebert wrote:
Every query you have that has a section which was built using data submitted by the user, needs to be screened. Every query, SELECT, INSERT, DELETE, etc. Every one.

Data submitted by the user includes (but isn't limited to) $_GET, $_POST, and $_COOKIE variables, as well as variables that you might not realize are coming from the user at first glance, such as $_SERVER["HTTP_REFERER"] or $_SERVER["HTTP_ACCEPT_LANGUAGE"]


Thanks for the tip....so, how would an attacker push malicious code through the $_SERVER array?
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13504
  • Loc: Florida

Post 3+ Months Ago

The $_SERVER array generally includes things from HTTP request headers, things like the referrer, the accepted character sets/encodings, preferred language, etc.

For example, if you have something that logs $_SERVER['HTTP_REFERRER'] to the database, you'll want to screen that yourself as it can contain bad data just as easily as GET or POST can.
  • RedBMedia
  • Proficient
  • Proficient
  • User avatar
  • Posts: 315

Post 3+ Months Ago

Oh, I see, so the attacker might spoof the header.....never thought of that.
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13504
  • Loc: Florida

Post 3+ Months Ago

What I do when deciding whether I should screen something is ask myself the question, "Is this something the server could generate even without a request from a user ?", if the answer is no then the data is immediately subject to screening. If the answer is yes, it is something the server could generate without a request from a user, I look and see whether it's something the server generates on its' own, or if it's something the server will override with data submitted from a user before deciding whether to screen it.

An edge case would be $_SERVER['QUERY_STRING'], I know that the server generates this variable, but I also know it's generated from user submitted data.

There's $_SERVER["REMOTE_PORT"], which is technically sent by the user, but if that was spoofed then the TCP communication would never have let the request get to the script in the first place. I feel I can trust this particular variable, though if I'm feeling parahnoid I might type-cast it.

PHP Code: [ Select ]
$rport = (int)$_SERVER['REMOTE_PORT'];

Post Information

  • Total Posts in this topic: 6 posts
  • Users browsing this forum: No registered users and 142 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.