Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Apparently there is an SQL injection bug in my PHP code

Tags:

php

sql-injection

include "../admin/site.php"; // Setup db connection.

$appid = -1;
if (is_string($_GET["id"]))
{
    $id = mysql_real_escape_string($_GET["id"]);
    $sql = "select * from version where id=$id";
    $ver = mysql_query($sql);
    if ($id > 0 && $ver && mysql_num_rows($ver))
    {
        $appid = mysql_result($ver, 0, "AppID");
        $app = DLookUp("apps", "name", "id=$appid");
        $name = mysql_result($ver, 0, "Name");
        $notes = mysql_result($ver, 0, "Notes");
    }
    else $app = "No version by that ID";
}
else $app = "No ID";

/* some html snipped */

if (isset($app) && isset($name))
    echo $app . " v" . $name;
else
    echo "v###";

/* some html snipped */

if (isset($appid))
{
    $url = "/" . DLookUp("apps", "Page", "id=$appid");
    echo "<a href=\"$url\">Up</a> to $app...";
}
if (isset($notes))
    echo $notes;

Somehow this code is allowing someone to see the entire contents of my database. I would've thought that mysql_real_escape_string would prevent that sort of attack? I could cast $id to an integer which should fix the issue, but I want to understand what I did wrong here, so I don't keep repeating my mistake.

like image 501
fret Avatar asked Dec 22 '22 05:12

fret

2 Answers

I think part of the problem is that you aren't using quotes around $id, so an attacker may send a value for id that is 1 OR 1=1 and the SQL executed would be:

select * from version where id=1 OR 1=1

mysql_real_escape_string() escapes just NULLs, newlines, and quotes (\x00, \n, \r, \, ', " and \x1a), so it is of little help if you don't quote the variable.

like image 127
Elias Dorneles Avatar answered Dec 24 '22 01:12

Elias Dorneles

You (at least) need to quote the $id even the column is an integer

select * from version where id="{$id}"

But, if the supply $_GET["id"] using

$id = "xxx\" OR 1=1";
select * from version where id="{$id}" <-- this become a vulnerable 
as it eval to
select * from version where id="xxx" OR 1=1

You should consider bind the parameter :

select * from version where id :=id

Or at least doing the casting to integer $id = (int)$_GET["id"],
you are suppose to compare to integer column, aren't you?
(force it to zero when the $_GET["id"] is not an integer)

Take a look on this :-

  • Someone has hacked my database - how?
  • Does mysql_real_escape_string() FULLY protect against SQL injection?

And always enclose the database link identifier when dealing with mysql_* function
(you might have multiple database connections in a single page)

like image 28
ajreal Avatar answered Dec 24 '22 02:12

ajreal
Sign in to Comment

Related questions

PHP Real path always returning false
Bad idea to create a folder for every user?
Alternative to PHP's associative arrays in JAVA
How could I detect if a character close to another character on a QWERTY keyboard?
using phing to deploy different environments
PHP arrays be outputed to JSON format
str_replace with strpos?
critical section in php between all requests
doctrine2 and group_concat
Does MYSQL Support Object Oriented Database?
Why does PHP replaces . with an underscore if it's a key in $_GET? [duplicate]
Saving files to sub directory with imagejpeg
firefox downloads mp3 files without an extension
Multiple array echo with foreach statement in php [duplicate]
How to change the google custom search watermark
Compile C++ file Using PHP
How to get the default currency from the PHP Intl ( ICU library )
Mysql varchar unique column varchar(255) vs. varchar(50)
How to validate CDATA section for an XML in PHP
Should I declare and check if variables exist in PHP?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!