another newbie who forgot to sanitise user input

[ken_yap]

http://imgur.com/QHKXu.png

I hope the programmer has realised now why his participation figures are so low.

[caf4926]

Moved to a seemingly more appropriate part of the forum

[ken_yap]

I'm not really fussed about it, but it actually is relevant to the Programming and Scripting forum. It's a good demonstration of a SQL injection attack on a web app and not my opinion.

[caf4926]

Quote:

Originally Posted by ken_yap

I'm not really fussed about it, but it actually is relevant to the Programming and Scripting forum. It's a good demonstration of a SQL injection attack on a web app and not my opinion.

6 of one and half a dozen of the other...
Not really a question, that's all. No offence intended

[consused]

Err... I'll take 4 from your dozen as I think it belongs in chit-chat since it is somewhat light-hearted and a bit of a joke.

[ken_yap]

Ok! Put a copy in each forum. Just kidding.

Yes, I thought it was a bit of a joke. Even sounded like a ethnic family name: Robert Drop-Table Names.

But not so funny if there's more important data in on the machine at stake. Wannabe PHP programmers pay attention!

[CanOfWires]

Wait, how's this bad input sanitizing? It seems sanitized to:

"Robert\'); DROP TABLE Names;"

as in

INSERT INTO Names (name, nameid) VALUES ('Robert\'); DROP TALBE Names;', 123);

Otherwise the string would be executed as SQL, not returned to page as data.

[ken_yap]

Look at the number of visitors: 1

Probably because the DROP TABLE was executed and cleared all the previous entries. The programmer probably wrote something like this:

Code:

$db->query("INSERT INTO Names VALUES($id,'$name')");

Now think, what happens to the argument to $db->query() if $name happens to contain this string, entered at the web interface:

Code:

Robert'); DROP TABLE Names; ('

I put in the (' just to make the single quotes balance, but I think the DROP TABLE would get executed even without them and the last statement isn't syntactically valid.

The moral of the story is, the input value $name should have been sanitised to escape special SQL characters, or statements with placeholders should have been used.

[CanOfWires]

Drop table does not clear a table, it drops it. Therefore a select from it would result with an error, missing the table.

So I'm guessing either there was no SQL injection, or the site carries the name through session/cache to the next page.

The number of certificates issued (#1) suggests there was a SQL injection, but:

- table would be dropped, not truncated
- would result with an SQL error selecting from non-existent table
- dropping the table would make it impossible to COUNT and get #1, UNLESS the site automagically recreates missing tables which I doubt. In which case, the name would be empty.

[ken_yap]

You don't know what else the application does after that particular part of the code, maybe it recreates the table if it doesn't exist. Or maybe the code simply assumes that no rows is 0, even though SELECT COUNT(*) fails and continues to increment that by 1. That welcome message could be code doing something like this:

Code:

echo "Welcome $name, you are visitor $count";

thus making the injection obvious. You may speculate about the exact details, and since neither you nor I have seen the code, anything goes. You may even argue that this is a faked screenshot. However there's no arguing that SQL injection does exist as a hazard to programmers who don't take care.