Have been hacked ????

Re: Have been hacked ????

.oO(Bob Bedford)
[color=blue]
>I've my local code and would like to know if my code is open for hackers.
>I'd like to see if it's possible to drop a database by simply insert mysql
>statement in any field (text box or anything). Does anybody know how to
>check ?[/color]

Google for (Advanced) SQL Injection.

Micha

Re: Have been hacked ????

Thanks for your reply Michael.
[color=blue][color=green]
>>I've my local code and would like to know if my code is open for hackers.
>>I'd like to see if it's possible to drop a database by simply insert mysql
>>statement in any field (text box or anything). Does anybody know how to
>>check ?[/color]
>
> Google for (Advanced) SQL Injection.[/color]
I can't check the injection technique: here is my code:
$colname_Record set1 = $HTTP_POST_VARS['User'];
$colname_Record set2 = $HTTP_POST_VARS['Pass'];
$query_Recordse t1 = "SELECT * FROM person WHERE User =
\"$colname_Reco rdset1\" AND Pass = \"$colname2_Rec ordset1\";";

I insert this (user/pass):
" OR 1="1
" OR 1="1
Now, the query result is:
SELECT * FROM person WHERE User = "\" OR 1=\"1" AND Pass = "\" OR 1=\"1";

How to be sure it can't be hacked ?

Re: Have been hacked ????

Bob Bedford wrote:
[color=blue]
> Thanks for your reply Michael.
>[color=green][color=darkred]
>>>I've my local code and would like to know if my code is open for hackers.
>>>I'd like to see if it's possible to drop a database by simply insert
>>>mysql statement in any field (text box or anything). Does anybody know
>>>how to check ?[/color]
>>
>> Google for (Advanced) SQL Injection.[/color]
> I can't check the injection technique: here is my code:
> $colname_Record set1 = $HTTP_POST_VARS['User'];
> $colname_Record set2 = $HTTP_POST_VARS['Pass'];
> $query_Recordse t1 = "SELECT * FROM person WHERE User =
> \"$colname_Reco rdset1\" AND Pass = \"$colname2_Rec ordset1\";";
>
> I insert this (user/pass):
> " OR 1="1
> " OR 1="1
> Now, the query result is:
> SELECT * FROM person WHERE User = "\" OR 1=\"1" AND Pass = "\" OR 1=\"1";
>
> How to be sure it can't be hacked ?[/color]

You can *never* *ever* trust data that comes from a post, a get or a cookie,
and must *always* escape quotes in strings (or use database libraries that
do it for you with placeholders in the queries, or via the use of stored
procedures if the DBMS supports them).

So in your example above, you should be doing the following:

$colname_Record set1 = addslashes($HTT P_POST_VARS['User']);
$colname_Record set2 = addslashes($HTT P_POST_VARS['Pass']);

OR

$colname_Record set1 = mysql_escape_st ring($HTTP_POST _VARS['User']);
$colname_Record set2 = mysql_escape_st ring($HTTP_POST _VARS['Pass']);

OR

$colname_Record set1 = mysql_real_esca pe_string($HTTP _POST_VARS['User']);
$colname_Record set2 = mysql_real_esca pe_string($HTTP _POST_VARS['Pass']);

If it's an integer value you are expecting then cast it as one like so:

$trusted_intege r_value = (int)$HTTP_POST _VARS['untrusted_valu e'];

If you don't do this, someone may be able to figure out how to modify the
query by passing a quote character (especially if any errors such as the
query itself are output to the web page in the event of an error), end the
query so it is valid, and then start another query which deletes all data
from the table, or something else similar.

--
Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/

Re: Have been hacked ????

.oO(Bob Bedford)
[color=blue]
>Thanks for your reply Michael.
>[color=green][color=darkred]
>>>I've my local code and would like to know if my code is open for hackers.
>>>I'd like to see if it's possible to drop a database by simply insert mysql
>>>statement in any field (text box or anything). Does anybody know how to
>>>check ?[/color]
>>
>> Google for (Advanced) SQL Injection.[/color]
>I can't check the injection technique: here is my code:
>$colname_Recor dset1 = $HTTP_POST_VARS['User'];[/color]

Use $_POST instead, the old $HTTP_*_VARS arrays are deprecated.
[color=blue]
>$colname_Recor dset2 = $HTTP_POST_VARS['Pass'];
>$query_Records et1 = "SELECT * FROM person WHERE User =
>\"$colname_Rec ordset1\" AND Pass = \"$colname2_Rec ordset1\";";[/color]

Use single quotes around strings in a query. Double quotes are a MySQL
extension to the SQL standard and might not work on all systems.
[color=blue]
>I insert this (user/pass):
>" OR 1="1
>" OR 1="1
>Now, the query result is:
>SELECT * FROM person WHERE User = "\" OR 1=\"1" AND Pass = "\" OR 1=\"1";[/color]

Looks like PHP's magic quotes take effect, but I wouldn't rely on that.

In fact in my code I use a kind of input filter function to remove the
magic quotes before my application code gets its hands on the data. This
way I can do all the necessary escaping stuff on my own and don't have
to rely on a particular configuration setting.
[color=blue]
>How to be sure it can't be hacked ?[/color]

Most important rule: Never trust any user-submitted data. Never.
Everything(!) that comes in via GET or POST can be manipulated.
Really everything, even the content of hidden or read-only form fields.

Before using a user-submitted data in a query think about what values
are allowed and validate/adjust accordingly:

* If the field is numeric it's pretty simple, use intval() for casting
to an integer or something like that.

* If one value from a given set of values is allowed, store all allowed
values in an array and use in_array() to check if the submitted value is
an allowed one.

* Strings are a bit more difficult. With MySQL it should be enough to
run the submitted data through mysql_escape_st ring(), this will escape
all special characters like single quotes. First check the setting of
the magic quotes with get_magic_quote s_gpc() to avoid double escaping.

It would make sense to write some simple functions for handling the
data, so you don't have to write the validation code again and again.

Second important rule: Even if the data made it successfully into the
database doesn't mean the danger is over. Whenever you fetch some data
from your db to re-use it in another query validate again. Otherwise an
attacker might be able to inject code that doesn't work on the first
insert, but on the re-using of the data (second-order SQL injection).

HTH
Micha

Re: Have been hacked ????

Dont know if i am missing something here as i'm a bit of a PhP/SQL
newb but here goes:

Surely if the correct permissions are given to the web user,
tables/databases cannot be dropped?

The account on my machine which is used by webusers is restricted to
select, update, delete etc and drop is most certainly not allowed!

Stop me if i'm missing something obvious :)

Re: Have been hacked ????

Lozarythmic wrote:
[color=blue]
> Dont know if i am missing something here as i'm a bit of a PhP/SQL
> newb but here goes:
>
> Surely if the correct permissions are given to the web user,
> tables/databases cannot be dropped?
>
> The account on my machine which is used by webusers is restricted to
> select, update, delete etc and drop is most certainly not allowed!
>
> Stop me if i'm missing something obvious :)[/color]

Even if you don't have rights to drop a table, you can still do a lot of
damage with delete rights. delete * from tablename is pretty damaging...

--
Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/