.oO(Bob Bedford)
Thanks for your reply Michael.
I've my local code and would like to know if my code is open for hackers.
I'd like to see if it's possible to drop a database by simply insert mysql
statement in any field (text box or anything). Does anybody know how to
check ?
Google for (Advanced) SQL Injection.
I can't check the injection technique: here is my code:
$colname_Recordset1 = $HTTP_POST_VARS['User'];
Use $_POST instead, the old $HTTP_*_VARS arrays are deprecated.
$colname_Recordset2 = $HTTP_POST_VARS['Pass'];
$query_Recordset1 = "SELECT * FROM person WHERE User =
\"$colname_Recordset1\" AND Pass = \"$colname2_Recordset1\";";
Use single quotes around strings in a query. Double quotes are a MySQL
extension to the SQL standard and might not work on all systems.
I insert this (user/pass):
" OR 1="1
" OR 1="1
Now, the query result is:
SELECT * FROM person WHERE User = "\" OR 1=\"1" AND Pass = "\" OR 1=\"1";
Looks like PHP's magic quotes take effect, but I wouldn't rely on that.
In fact in my code I use a kind of input filter function to remove the
magic quotes before my application code gets its hands on the data. This
way I can do all the necessary escaping stuff on my own and don't have
to rely on a particular configuration setting.
How to be sure it can't be hacked ?
Most important rule: Never trust any user-submitted data. Never.
Everything(!) that comes in via GET or POST can be manipulated.
Really everything, even the content of hidden or read-only form fields.
Before using a user-submitted data in a query think about what values
are allowed and validate/adjust accordingly:
* If the field is numeric it's pretty simple, use intval() for casting
to an integer or something like that.
* If one value from a given set of values is allowed, store all allowed
values in an array and use in_array() to check if the submitted value is
an allowed one.
* Strings are a bit more difficult. With MySQL it should be enough to
run the submitted data through mysql_escape_string(), this will escape
all special characters like single quotes. First check the setting of
the magic quotes with get_magic_quotes_gpc() to avoid double escaping.
It would make sense to write some simple functions for handling the
data, so you don't have to write the validation code again and again.
Second important rule: Even if the data made it successfully into the
database doesn't mean the danger is over. Whenever you fetch some data
from your db to re-use it in another query validate again. Otherwise an
attacker might be able to inject code that doesn't work on the first
insert, but on the re-using of the data (second-order SQL injection).
HTH
Micha
