SQL injection

Forum Moderators: open

Message Too Old, No Replies

SQL injection

stevelibby

11:36 am on Sep 7, 2006 (gmt 0)

istead of using id=1 if i were to create pages where the query would be based on page1.asp and using the 1 as the id, does that leave me prone to sql injection, i dont understand sql injection that well

tomda

11:58 am on Sep 7, 2006 (gmt 0)

I can see that ;)

Anyway, you are currently passing a variable called id.
There are two ways to pass variable, one using the GET method (and the id value is shown in the URL), one using the POST method (using a form for example).

EVERY VARIABLE MUST BE CHECKED BEFORE EVERYTHING ELSE.

You know that your id will only be numbers, isn't?
Then, you need to write the small code below.

function check1($var){
if(!preg_match("/[^0-9]/",$var)) {return TRUE;} else {return FALSE;}}
if(isset($_GET["id"])) {$id=$_GET["id"];
if(!check1($c)) {$id="1";}} else {$id="1";}
$sql = "select title, subtitle from $table where id='$id' limit 1";
$res=mysql_query($sql) or die ("Fail to get text");

1 / The first function check1 will check if your variable only contains numbers.

2/ if(isset()) will check if variable is set, if not a default value of 1 is given.

3/ If variable is set, then you GET["id"] and check that it is only numbers using the functon. If not, again a default value is given.

4/ Run the query safely

Tomda

topr8

12:03 pm on Sep 7, 2006 (gmt 0)

i'm guessing he's not using php.

so for asp:

id=request("id")
IF NOT isNumeric(id) server.transfer "go-away-you-hacker.asp"

this will redirect any non numeric id value to a page called "go-away..." (of course that page has to exist)

tomda

12:23 pm on Sep 7, 2006 (gmt 0)

Thanks Topr8

Oups! Indeed, it is ASP.
Sorry for that...

stevelibby

8:39 am on Sep 9, 2006 (gmt 0)

if you break the urlstring down so that you just use 2 digits from "page11.asp" how can you then inject it?

topr8

6:01 pm on Sep 9, 2006 (gmt 0)

however you cut it, slice it, dice it etc,

... if you validate the data with the data type (and length) you are expecting then it should be problem free...

eg. with your example page11.asp ... if the page actually exists as i think you are suggesting and you have hard coded into the page to query the db with the 11 then no problem - i do something similiar on a site of mine where rewriting urls wasn't an option, i created all the pages and hard coded the query (effectively anyway)

if you are using some kind of rewriting and are grabbing whatever is after the string "page" to query the database with, it is theoretically possible for someone to employ a sql injection technique unless you checked that the "11" from the "page11" string was indeed a 2 digit number or whatever you expect it to be.

stevelibby

6:19 pm on Sep 9, 2006 (gmt 0)

i have set it up sliced, diced as you say, to only accept 2 digits and only 2 digit can you sql inject with 2 digits, im a little confused after page.

mrMister

3:22 am on Sep 17, 2006 (gmt 0)

id=request("id")
IF NOT isNumeric(id) server.transfer "go-away-you-hacker.asp"

I know it's just pseudo-code, but I thought it'd be useful to point out that in ASP, it's important to close the database connection before performing a server.transfer

I agree with the isNumeric way of doing things. Validation is best performed by making sure that the data type is correct and that the data is correctly formatted.

stevelibby

11:34 am on Sep 18, 2006 (gmt 0)

i have just treid to put the line of code that was posted and it has not worked any ideas?

SQL injection

stevelibby

tomda

topr8

tomda

stevelibby

topr8

stevelibby

mrMister

stevelibby

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week