Welcome to WebmasterWorld Guest from 18.204.48.199

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

testing for sql injection

how?

     
8:40 am on Nov 23, 2009 (gmt 0)

Full Member

10+ Year Member

joined:Dec 12, 2007
posts:233
votes: 0


Hello,

Which script should I type in a text field/textarea or even login textbox in order to make sure that mysql database is protected against sql attacks? Is it possible to attack mysql database online when you don't know the connection parameters, names of databases and tables' and form password?

Thanks

11:36 pm on Nov 23, 2009 (gmt 0)

Full Member

10+ Year Member

joined:June 1, 2007
posts:201
votes: 0


It is not just one thing you should be checking for and some good info is available on the web. You could start by searching owasp in Google and see what that brings up as a start.
3:40 am on Nov 24, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
posts:7999
votes: 0


Is it possible to attack mysql database online when you don't know the connection parameters, names of databases and tables' and form password?

Yes.

You do the connection and table selection for them. What is done is your queries are appended by an unfiltered string. So if you have "select * from table where q='1234'" they don't need to know anything, except how to change it to "select * from table where q=1234 and 1=1". This oversimplified example will display all results in the table because 1 will always equal 1.

I'm by no means an "expert" in this area but have managed to pass PCI compliance scans. It really is a bit more complicated than a one-off answer. A good place to start, though, is if any input data is echoed back to the page unfiltered, you have a potential security hole.

So if you have a search form with the name "q" and you do stuff like this,

echo "$_POST['q']";

It's vulnerable.

Consider also that these kinds of attacks never even visit the form. Don't need to, it's generally done via direct command line post/get.

Here is one simple XSS method. Request this on your site, changing "q" for some named element in any of your forms:

...yoursite.com/yourscript.php?q=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E

All it will do is give a simple Javascript alert, "123." But if it does, your programming is vulnerable to XSS.

A simple mysql injection, using or 1=1:

..yoursite.com/yourscript.php?q=3273%20OR%201=1

where "3273" is a valid record resource in your database.

may not work as this site may render some of the encoded characters.

These are easily thwarted on their own, but it's a little more complex than just the samples here.

7:50 am on Nov 24, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member dreamcatcher is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 30, 2003
posts:3719
votes: 0


Chris Shiflett has some excellent articles on his website in regards to XSS and SQL injections, so you might want to read that. There is also an excellent O`Reilly book called 'Essential PHP Security', which is well worth picking up.

dc

9:27 am on Nov 24, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member topr8 is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 19, 2002
posts:3514
votes: 87


i'd concur on the 'Essential PHP Security' book, it's very short and relatively cheap, the principles would also apply if you were using a different scripting language too.

the basic principles are that you should consider all input to your application as potentially dangerous and you must check it.
check it means - check that it is the type of data that you were expecting, eg an alphanumeric string of upto 50 characters for instance, whitelist what is allowed rather than blacklist what isn't (because you might forget something with the blacklist method) do not clean incorrect data, reject it.