Thread: SQL Injections & Security in PHP
View Single Post
  #3 (permalink)  
Old 09-15-04, 11:43 PM
mikaelf mikaelf is offline
Wannabe Coder
  
Join Date: Jun 2004
Location: php[dot]net
Posts: 198
Thanks: 0
Thanked 0 Times in 0 Posts
hi eclipse,
what you wrote is not actually sql injection. it's just a hacking method using the query string.
this is how your code work:
Code:
//Your browser
http://www.blahblah.com/index.php?page=main
//Your /usr/local/apache/logs/access_log
xxx.xxx.xxx.77 - - [15/Sep/2004:20:05:22 +0700] "GET /index.php?page=main HTTP/1.1" 200 12034 "http://www.blahblah.com/index.php" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

//Your browser
http://www.blahblah.com/index.php?page=../etc/password
//Your /usr/local/apache/logs/access_log
xxx.xxx.xxx.77 - - [15/Sep/2004:20:05:22 +0700] "GET /index.php?page=../etc/password HTTP/1.1" 200 12034 "http://www.blahblah.com/index.php" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
There should be nothing happened for above code, unless there is something special with GET parameter.

Anyway, the logs below supply you examples of hacking attempts:
Code:
[Thu Jun 24 14:19:11 2004] [error] [client xxx.xxx.xxx.77] File does not exist: /home/www/scripts/..<C1>^\../winnt/system32/c
md.exe
[Thu Jun 24 14:19:11 2004] [error] [client xxx.xxx.xxx.77] File does not exist: /home/www/scripts/..<C0><AF>../winnt/system32
/cmd.exe
[Thu Jun 24 14:19:11 2004] [error] [client xxx.xxx.xxx.77] File does not exist: /home/www/scripts/..<C1><9C>../winnt/system32
/cmd.exe
[Thu Jun 24 14:19:11 2004] [error] [client xxx.xxx.xxx.77] File does not exist: /home/www/scripts/..%5c../winnt/system32/cmd.
exe
[Thu Jun 24 14:19:11 2004] [error] [client xxx.xxx.xxx.77] File does not exist: /home/www/scripts/..%2f../winnt/system32/cmd.
exe
Unfortunately, the hacker tries to hack a windows server while the server itself is UNIx. (nice try... get faulty?? try next time, please..)

for sql injection, here is a better example:
Code:
//test.html
<form action="process.php" method="post">
<input name="user" />
<input name="password" type="password" />
</form>
and your process.php
PHP Code:

$check "select * from user where user='{$_POST['user']}' and password='".encode($_POST['password'])."'";

if(sql_query($check))

 ...authentication ok 
the sql injection:
input value for field user:
h4ck3r' or 1 > 0;

code flow in process.php
PHP Code:

$check "select * from user where user='h4ck3r' or 1 >0; and password='ga4ef2ga23';

if(mysql_query($check))

  ...authentication ok 
you can see that the hacker "injects" the sql. he manipulates the username and truncate the sql query. mysql will process the query like this:
Code:
mysql > select * from user where user='h4ck3r' or 1 >0;
and... he nicely passes the authentication process.

regarding this fact, it's important to check all user input and query string before processing your query.
__________________
Useful PHP links:
bugs.php.net - for reporting PHP bugs
pear.php.net - PHP extension and application repository
pecl.php.net - get non standard PHP modules, submit yours
www.phpclasses.org - PHP classes repository
Last edited by mikaelf; 09-15-04 at 11:49 PM.
Reply With Quote