3

I took over maintenance of a PHP app recently and I'm not super familiar with PHP but some of the things I've been seeing on the site are making me nervous that it could be vulnerable to a SQL injection attack.

For example, see how this code for logging into the administrative section works:

    $password = md5(HASH_SALT . $_POST['loginPass']);
    $query = "SELECT * FROM `administrators` WHERE `active`='1' AND `email`='{$_POST['loginEmail']}' AND `password`='{$password}'";
    $userInfo = db_fetch_array(db_query($query));

    if($userInfo['id']) {
        $_SESSION['adminLoggedIn']  = true;
        // user is logged in, other junk happens here, not important

The creators of the site made a special db_query method and db_fetch_array method, shown here:

function db_query($qstring,$print=0)        { return @mysql(DB_NAME,$qstring); }
function db_fetch_array($qhandle)       { return @mysql_fetch_array($qhandle); }

Now, this makes me think I should be able to do some sort of SQL injection attack with an email address like:

' OR 'x'='x' LIMIT 1;

and some random password. When I use that on the command line, I get an administrative user back, but when I try it in the application, I get an invalid username/password error, like I should.

Could there be some sort of global PHP configuration they have enabled to block these attacks? Where would that be configured?

Here is the PHP --version information:

# php --version
PHP 5.2.12 (cli) (built: Feb 28 2010 15:59:21) 
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
    with the ionCube PHP Loader v3.3.14, Copyright (c) 2002-2010, by ionCube Ltd., and
    with Zend Optimizer v3.3.9, Copyright (c) 1998-2009, by Zend Technologies
Improve this question
4
  • oh my what a question. never thought I'd hate to answer :) Commented Apr 26, 2010 at 17:19
  • have you tried the injection? Commented Apr 26, 2010 at 17:22
  • If you ever end up turning off magic_quotes_gpc and doing proper escaping instead, look very closely at any user input used in conjunction via the filesystem. magic quotes wasn't designed to protect you here, but it's a side effect that many amateur scripts unknowingly depend on. unescaped null bytes are real bad with php's filesystem functions... Commented Apr 26, 2010 at 19:38
  • Ben -- yes, I have tried the injection and I'm not able to get it working. Maybe I just sux at injection, but it looks like it should work. chris -- I grepped the entire codebase for magic_quotes and didn't see anything. This is hosted on a managed server(yep... I'm moving it to EC2 soon) so maybe it's an environment-wide config. Is there a way to check? The link the hosting company gave me to view my PHP configurations is broken. Commented Apr 28, 2010 at 12:50

4 Answers 4

Reset to default
2

My guess is that your attempts via the application are being thwarted by magic quotes.

Relying on such, however, is extremely bad practice, and that app really should have far more of its own verification and escaping.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I grepped the entire codebase for magic_quotes and didn't see anything. This is hosted on a managed server(yep... I'm moving it to EC2 soon) so maybe it's an environment-wide config. Is there a way to check? The link the hosting company gave me to view my PHP configurations is broken.
I tried printing <?php get_magic_quotes_gpc(); ?> on a page and it printed nothing, so I think it might be disabled.
@ash get_magic_quotes_gpc() doesn't output anything. Add an echo in front of the function call.
0

All what you can do in this problem, is you must have a good validation of data, and for every non secure character as ' you must add backslash before it like that: \' and block to get /* (this is mysql comment using in sql injection for comment next sql statments after injection.

Improve this answer

Comments

0

If you echo out $_POST['loginEmail'] on your server and try the attack you will most likely see that magic_quotes is turned on.

If it is turned on it will look something like \' OR \'x\' = \'x

You should use the PDO class (http://www.php.net/manual/en/pdo.prepare.php) on all your SQL querys.

Improve this answer

Comments

0

You mentioned in a comment that you tried to determine if magic quotes were enabled with:

<?php get_magic_quotes_gpc(); ?>

You probably meant to do this instead:

<?php echo get_magic_quotes_gpc(); ?>

The most likely situation does seem to be, as others have said, that magic quotes are turned on.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.