Penetration Testing mailing list archives
Re: PHP and MySQL
From: dork () gmx at
Date: Fri, 20 Jan 2006 00:08:54 +0100 (MET)
On Wednesday 18 January 2006 21:13, John Madden wrote:
Hi, I'm pentesting a web site and i get the following error message while using a single quote: ex. /confirm.php?conf='test123
as stated by others, "' OR 1=1" can be better - if the output only fetches one single line, you might try appending LIMIT too for stepping through the resultset.
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /xx/xx/confirm.php on line 5
display errors is one thing, a missing clause another. if the statement execution returns false, the script should not get there.
I've looked up the error and attemped numerous variations like '1==1; etc... but i always get the same error. As anyone been succesful in getting information this way ? If so how? And how do we fix this vulnerability ? Besides the PHP code itself (sanitize user input), is it a PHP setting (php.ini) ?
the possibly best way would be using prepared statements, depending on the versions of mysql & php. if you only fill in values to prepared variables, no input can break out - at least not because of your script. it does not mean that you don't have to stay careful, but normal queries can be considered being "safe" then. ad php.ini setting: in theory, magic quotes could help. but input validation is more accurate, leads to less overhead and keeping them off makes it easier to keep your application portable. for this and other reasons, there are plans to discontinue this feature in future (see http://www.php.net/~derick/meeting-notes.html#magic-quotes ). to validate your input, there is a new and convenient way within the php core distribution since 5.1.1, older versions can retrieve it via pecl: http://pecl.php.net/package/filter in other special cases, you could use preg definition arrays too: <?php $checks = Array( 'tab' => '%^\t$%', 'str' => '%^[a-d0-6]{4}$%i'); foreach($checks As $field=>$regex) { if(isset($_GET[$field])) { if(!preg_match($regex,$_GET[$field])) { // error handling wrong input, default, output, whatever } // paranoid part __start__ else { $internal[$field] = $_GET[$field]; } // paranoid part __stop__ } else { // error handling obligatory field not set - default, output, whatever } } ?> usage of regex arrays on "simple" input has rather poor performance in comparison to typecasts, ctype, is_numeric, common range checks and (most, not all) string operations. the paranoid part can be left out, if your error handling is restrictive enough and you are sure for having checked any variable you actually use but since both of us are reading and posting in this list - *hmm* maybe.. ok, we are paranoid :)
Thanks for your help __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
-- 10 GB Mailbox, 100 FreeSMS/Monat http://www.gmx.net/de/go/topmail +++ GMX - die erste Adresse für Mail, Message, More +++ ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- PHP and MySQL John Madden (Jan 18)
- Re: PHP and MySQL AdamT (Jan 19)
- Re: PHP and MySQL Josh Zlatin-Amishav (Jan 19)
- <Possible follow-ups>
- RE: PHP and MySQL Derick Anderson (Jan 19)
- Re: PHP and MySQL dork (Jan 20)
- Re: PHP and MySQL Edy (Jan 23)