Re: PHP and MySQL

[dork () gmx at]

On Wednesday 18 January 2006 21:13, John Madden wrote:
> Hi,
>
> I'm pentesting a web site and i get the following
> error message while using a single quote: ex.
> /confirm.php?conf='test123

as stated by others, "' OR 1=1" can be better - if the output only fetches
one single line, you might try appending LIMIT too for stepping through the
resultset.

> Warning: mysql_fetch_row(): supplied argument is not a
> valid MySQL result resource in /xx/xx/confirm.php on
> line 5

display errors is one thing, a missing clause another. if the statement
execution returns false, the script should not get there.

> I've looked up the error and attemped numerous
> variations like '1==1; etc... but i always get the
> same error.
>
> As anyone been succesful in getting information this
> way ? If so how?
>
> And how do we fix this vulnerability ? Besides the PHP
> code itself (sanitize user input), is it a PHP setting
> (php.ini) ?

the possibly best way would be using prepared statements, depending on the
versions of mysql & php.
if you only fill in values to prepared variables, no input can break out -
at least not because of your script. it does not mean that you don't have to
stay careful, but normal queries can be considered being "safe" then.

ad php.ini setting: in theory, magic quotes could help. but input validation
is more accurate, leads to less overhead and keeping them off makes it
easier to keep your application portable. for this and other reasons, there
are plans to discontinue this feature in future (see
http://www.php.net/~derick/meeting-notes.html#magic-quotes ).

to validate your input, there is a new and convenient way within the php
core distribution since 5.1.1, older versions can retrieve it via pecl:
http://pecl.php.net/package/filter

in other special cases, you could use preg definition arrays too:
<?php
$checks = Array(
 'tab' => '%^\t$%',
 'str' => '%^[a-d0-6]{4}$%i');
foreach($checks As $field=>$regex) {
 if(isset($_GET[$field])) {
   if(!preg_match($regex,$_GET[$field])) {
     // error handling wrong input, default, output, whatever
   } 
// paranoid part __start__
     else {
       $internal[$field] = $_GET[$field];
   }
// paranoid part __stop__
 } else {
   // error handling obligatory field not set - default, output, whatever
 }
}
?>
usage of regex arrays on "simple" input has rather poor performance in
comparison to typecasts, ctype, is_numeric, common range checks and (most,
not all) string operations.
the paranoid part can be left out, if your error handling is restrictive
enough and you are sure for having checked any variable you actually use 

but since both of us are reading and posting in this list - *hmm* maybe..
ok, we are paranoid :)

> Thanks for your help
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com

-- 
10 GB Mailbox, 100 FreeSMS/Monat http://www.gmx.net/de/go/topmail
+++ GMX - die erste Adresse für Mail, Message, More +++

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------