Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SQL Injection Vulnerability

Posted on 2011-02-28
5
Medium Priority
?
968 Views
Last Modified: 2012-05-11
I am using the shoppingcart plaincart and it has been hacked multiple times using this:
?c=16&p=-3+UNION+SELECT+user_name,user_password,3,4,5+from+tbl_user--

I have read that the below variable needs to be escaped using mysql_real_escape_string but i don't know how

$pdId   = (isset($_GET['p']) && $_GET['p'] != '1') ? $_GET['p'] : 0;

Could someone please show me what to do?
0
Comment
Question by:turtleman2009
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 14

Expert Comment

by:R-Byter
ID: 35003068
Basically for your line it should be:

$pdId   = (isset($_GET['p']) && $_GET['p'] != '1') ? mysql_real_escape_string($_GET['p']) : 0;

Open in new window


but there needs to be an active database connection to be able to use mysql_real_escape_string.

I suggest you to look for further info here:

http://php.net/manual/en/function.mysql-real-escape-string.php

And to use filters for specific values (with examples):

http://www.phpro.org/tutorials/Filtering-Data-with-PHP.html

Regards
0
 

Author Comment

by:turtleman2009
ID: 35003444
Im not really familiar with this too much. I am connected to a database but when I used your code the above string still revealed my username and password. I could not exactly follow the filter tutorial either. If i changed my variable to this does it fix the problem:

$pdId   = isset($_GET['p']);
0
 
LVL 14

Expert Comment

by:R-Byter
ID: 35004954
No, isset is not used for that. From the php official page:

Returns TRUE if var exists and has value other than NULL, FALSE otherwise.

If you expect to have only integer values in variable p, then proper use of filters would be:

if (filter_var($_GET['p'], FILTER_VALIDATE_INT)) {
     //do what you want to do if its integer value like 1,2,3,-1,-3
}

Open in new window


Regards
0
 
LVL 5

Accepted Solution

by:
onemadeye earned 2000 total points
ID: 35006293
I can see that you dont want $_GET['p'] = 1
You can use this function :
function valid_pdId($get) 
{ 
  $x = isset($_GET[$get])&&$_GET[$get]!='1' ? $_GET[$get] : ''; 
	if ( !ctype_digit($x) ) {
		$x = '';
	}
  return $x; 
}

// And here's how to use this function
// $_GET['p'] replaced with valid_pdId('p')
$pdId = valid_pdId('p');

Open in new window

0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 35006440
You might want to adopt the mantra Accept Only Known Good Values when using external data.  And the GET string is always external data!  If you expect a positive integer, you can do something like this.  It is a little more elaborate than filter_var(), but it may be exactly what you want.  I think of filter_var() as being kind of minimal.
http://us3.php.net/manual/en/function.filter-var.php
http://us3.php.net/manual/en/function.preg-replace.php

Try running this script:
http://www.laprbass.com/RAY_GET_numeric_id.php?id=3
http://www.laprbass.com/RAY_GET_numeric_id.php?id=3a

In the code snippet you will see how the filter and validation is packaged in a function that can be called with a single line of code.

HTH, ~Ray
<?php // RAY_GET_numeric_id.php
error_reporting(E_ALL);
echo "<pre>";


// SHOW HOW TO TEST AND CHECK AN EXTERNAL INPUT
if ($id = clean_integer_string($_GET["id"]))
{
    echo PHP_EOL . "IT IS OK TO USE $id";
}
else
{
    echo PHP_EOL . "MISSING OR INVALID: {$_GET["id"]}";
}

echo PHP_EOL . "PLEASE PROVIDE AN ARGUMENT IN THE URL STRING";
echo PHP_EOL . "MAKE IT 'id=' AN INTEGER BETWEEN 1 AND 1000";



// A FUNCTION TO RETURN A VALID ID OR FALSE
function clean_integer_string($id)
{
    // SET A DEFAULT RETURN VALUE
    $x = FALSE;

    // IF THE ID ARGUMENT IS SET
    if (isset($id))
    {
        // DISCARD ALL BUT THE NUMERIC CHARACTERS
        $x = preg_replace('#[^0-9]#', NULL, $id);

        // IF THE ID IS NOT STILL THE SAME, IT IS NOT SAFE
        if ($x != $id) $x = FALSE;

        // IF THE ID IS NOT A POSITIVE INTEGER IN RANGE, IT IS NOT SAFE
        if ( ($x < 1) && ($x > 1000) ) $x = FALSE;
    }

    // RETURN THE PURIFIED VALUE
    return $x;
}

Open in new window

0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question