sql injection help

[snout]

Got a php script i would like to use, Softbiz Web Hosting Directory, but there is an sql injection vulnerability that is all over the security websites.

Input passed to the "cid" parameter in "search_result.php" and "browsecats.php", to the "sbres_id" parameter in "review.php", and to the "h_id" parameter in "email.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Example:
http://[host]/search_result.php?cid=[sql]
http://[host]/browsecats.php?cid=[sql]
http://[host]/review.php?sbres_id=[sql]
http://[host]/email.php?&h_id=[sql]

Is there any general protection steps that can be taken to fix this? I am not able to go over the php code and fix it all manually. Maybe there is a fix by someone else since there is no fix by vendor.
Any help would be appreciated.

[kwvarga]

what is the name of the script

[ewc21]

If the script require user input then it is good to put up captcha for verification...

[themole]

here's a good start:

$cid = mysql_escape_string($_GET[cid]);

If cid is supposed to be numeric and nothing else,

Code:

if(is_numeric($_GET['cid']))
{
	//run your script

}
else
{
	//redirect or set a legitimate cid
}

-the mole

[snout]

Quote:

Originally Posted by theSpear

what is the name of the script

I wrote the name of the script in the first line of my message and then i desribed the vulnerability itself.
No user input required, its not a login form.

Here is what i come to

$cid = is_nan($_REQUEST["cid"]) ? die('hacker') or $_REQUEST["cid"];
$child_cat=mysql_query("select * from sb_host_categories where sb_pid=".$cid);

Will it solve the vulnerability and disallow messing with my db tables?

[digiweb]

Only in php do you get the beauty of syntax like:

die('hacker')

That code is great.

[kyleposey]

Quote:

Originally Posted by themole

here's a good start:

$cid = mysql_escape_string($_GET[cid]);

If cid is supposed to be numeric and nothing else,

Code:

if(is_numeric($_GET['cid']))
{
	//run your script

}
else
{
	//redirect or set a legitimate cid
}

Great Advice. That should stop any sql injection code.

[exam]

Just force the id to be a number like so:

PHP Code:

$child_cat=mysql_query ("select * from `sb_host_categories` where `sb_pid`='" . intval ($_GET['cid'])."'"); 


If it's any other value that you need to sanitize, just use mysql_real_escape_string and you can store *anything* your heart desires in mysql.

[littleFella]

Quote:

Originally Posted by snout

Is there any general protection steps that can be taken to fix this? I am not able to go over the php code and fix it all manually. Maybe there is a fix by someone else since there is no fix by vendor.
Any help would be appreciated.

Yes. The first step is to use stored procedures, which won't fly if you use the free versions of mySQL.

Postgresql, DB2, Firebird (among others) have stored procedures. If you use mySQL, consider using a real RDBMS.

[snout]

Thanks for all the replies. I fixed it by declaring the cid in few places like this

$cid = is_nan($_REQUEST["cid"])

That way the value will only be number and no special characters and commands can be executed inside the URL

[exam]

Quote:

Originally Posted by littleFella

Yes. The first step is to use stored procedures, which won't fly if you use the free versions of mySQL.

Postgresql, DB2, Firebird (among others) have stored procedures. If you use mySQL, consider using a real RDBMS.

You can't be serious. Please explain your perceived advantages of stored procedures. People run around all afraid of SQL injection, when the only thing you have to do is validate all user input and you'll never have a problem with it.

And about that demeaning tone with which you refer to MySQL, you should get off your island or high-horse or whereever you are and come join the real world. Why pay to use a commercial RDBMS when a free, open-source product does a more-than-adequate job? I also find it amusing that you didn't mention the market leading commercial DB in your list (Oracle)

Oh, and snout, I hope you realise that doing this: $cid = is_nan($_REQUEST["cid"]) just puts the value of true or false into $cid, based on if $_REQUEST['cid'] is a number or not. You should do: $cid = intval ($_REQUEST['cid']); as I mentioned earlier.

[digiweb]

I think I'm responsible for creating a vocabulary issue here.

Stored procedures are not really an answer.

Parameterized queries are an answer but are still hackable.

Cleansed input presents many token parsing issues. A black list never works (just assume that to be safe). A white list can be too small.

And what methods will you use to create your checks? Regular expression syntax changes from language to language (thus making my head explode), and hacked input just as likely screws built-in functions as the database you're trying to protect.

You know it hasn't been that long since we stopped seeing the blue screen of death over little things like divide by zero. I mean, c'mon Intel, it's a zero, check for zero and don't divide by it. But that's not what we had. I've got PHP code that I can blow up just by putting nothing in the input form. Did you remember to check isnull() before checking ishacking()?

Some random and good articles:
http://www.codeproject.com/aspnet/SqlInjection.asp
Preventing SQL injection
The various techniques used to prevent SQL injections are:

Parameterized query
Stored procedure
Regular expression to discard input string
Quoteblock function
Don’t show detailed error messages to the user.
Have a less privileged user/role of your application in database.


http://www.sqlservercentral.com/colu...linjection.asp

'CarolineBogart'; -- AND Password = ''

[exam]

Technically you're absolutely right in everything you say, but we've got to remember to keep it simple. As an example, if your code escapes all single quotes in the input, then wraps that input in single quotes before it goes to the query, please enlighten me as to how that can be hacked.

[digiweb]

I don't have the slightest idea. I'm not much of a hacker. Remember, it doesn't matter if I can hack code. It matters if my terrorist kitty can.

btw, I don't think it's that simple to do that to input. I've got input forms that go on for days.

[exam]

>> I don't think it's that simple to do that to input.
In the context of a web development forum, just use mysql_real_escape_string - It'll do it every time.

Yikes! don't sic your black hat terrorist cat on me {runs for cover}

[digiweb]

So what will that buy if someone types javascript into the form?

[exam]

How are they going to compromise the MySQL server with Javascript? If it's properly escaped, it'll just be stored in the DB. It's a whole different question how to remove JS from HTML before displaying it, and that has nothing to do with SQL injection. It's like asking how to keep apples for several months with out them going bad, and then having someone ask- well how can I keep people from mixing the apples with the oranges? The two questions are not related.

BTW, I keep looking around waiting for that cat to come sneaking up on me.

[digiweb]

The cat's asleep on my head. Well, on my shoulder.

I didn't mean to say javascript input = sql input. I meant to say that cleaning input is a pain.

[littleFella]

Quote:

Originally Posted by exam

You can't be serious. Please explain your perceived advantages of stored procedures.

I hope the other poster's links give you a hint or two.

Quote:

Originally Posted by exam

And about that demeaning tone with which you refer to MySQL, you should get off your island or high-horse or whereever you are and come join the real world.

Facts are facts, whether they sound demeaning or not. I did not create SQL standards or good RDBMS design that MySQL violates where it really counts once you go beyong basic select *.

Quote:

Originally Posted by exam

Why pay to use a commercial RDBMS when a free, open-source product does a more-than-adequate job? I also find it amusing that you didn't mention the market leading commercial DB in your list (Oracle)

My list did not contain any RDBMS that cannot be had for free. There is a free version od DB2: the only limit is memory - you cannot let it use more than 4GB of RAM, an insignifficant limitation as far as I am concerned. I hope this explains why I did not include Oracle. I only wanted to list database which can be downloaded and used for free for any purpose, including commercial. Btw, this comfort is not ensured by MySQL licensing scheme.

Speaking of Oracle; unless you want to run a mirror of wikipedia ro some such huge site, Oracle would be an overkill. I was advised a coule times that Oracle 8 was an overkil for the second largest galvanizing plant in North America. The advisor was an Oracle salesman.