PDA

View Full Version : Url Injection Protection. Take it Seriously



Emancipator
08-15-2009, 09:14 AM
Get your attention? Hope so. I got hacked severely by the most innocent means and wanted to share the outcome with you all. Little did I realize that by not validating url parameters VERY carefully somebody could do some serious damage including looking up passwords, etc.

The simple way I am now protecting my queries is with an INTVAL check.

When you do a lookup lets say website.com/news.php?id=1 I can ADD sql to the end of that 1 and do all kinds of things. Example;

website.com/news.php?id=1; Drop Table *
website.com/news.php?id=1; INSERT USERS *

Scary wouldnt you say? I am now using two means to protect pages that use an ID parameter. At the very start of my code I check the id as follows now;

!is_numeric($_GET['id'])

I its NOT a number, I kick them to my homepage. Why? They clearly messed with my url and dont really want to read my news. If its not a number, the news wont load, you get dumped.

As a secondary and redundant measure I also cleaned my query.

$colname_news = intval($_GET['id']);
WHERE id = %s", $colname_news

All I am doing here is converting the ID to a number. So if for WHATEVER reason my first check failed ( dont see how it could ) I convert the ID to an int before it goes into my query. That way if somebody did this;

website.com/news.php?id=1; INSERT USERS *

It would still only be 1. INTVAL drops the '; Insert users *'

Hopefully this helps somebody. I am by no means done my code improvements and am no expert. Feedback welcome.

Chris
08-17-2009, 06:05 AM
how did you get hacked?

I recently got hacked too, don't know how. They inserted an inframe to some russian site into my index.php file. Of course, that is a file system thing not an SQL thing.

Emancipator
08-17-2009, 06:10 AM
how did you get hacked?

I recently got hacked too, don't know how. They inserted an inframe to some russian site into my index.php file. Of course, that is a file system thing not an SQL thing.

What happened to you is exactly what happened to me. SQL injection is scary easy to do. If you shoot me the link to the page ( via email ) I will look at it for you. I am no expert but I certainly have learned alot after getting jacked.

Mr. Pink
08-17-2009, 11:06 AM
I'm afraid I don't understand exactly what is being talked about. Sorry, I just an amateur HTML web designer and some technical stuff I just don't understand.

So, I have out.php scripts on my site and just did a test as best as I could understand what was being talked about.

when I go to this URL...

mysite.com/scripts/out.php?LinkID=57

...I get forwarded to the external site, as expected, as it should.


When I type this in my browser...

mysite.com/scripts/out.php?LinkID=57; INSERT USERS *

...the result is exactly the same, i.e. I just get forwarded to the same external site.

Am I missing something?

Chris
08-18-2009, 05:15 AM
How are they going to edit a file with an SQL query?

Anyways, I'll email you what I've got.