Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Sql Injection issue

Posted on 2014-03-28
14
Medium Priority
?
491 Views
Last Modified: 2014-04-09
Question:  I was asked to do a security audit on few of our websites and one pops up on the scan with a possible sql injection. When I plug in the code below I get the following error “shown below” .  I can say that kind of new to sql injections… could somebody explain what I may be missing here…

URL Code that gives me error below:
http://www.website.com/ingenii.cgi?cart_id=6L8ZuK.a7221&maxp=20&ppinc=searchresults&search=%5c

Open in new window


Sql error  
Couldn't exec sth!
QUERY: INSERT INTO search_terms (search_term) values ('\')
ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\')' at line 1
0
Comment
Question by:amstoots
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 4
14 Comments
 
LVL 53

Expert Comment

by:Scott Fell, EE MVE
ID: 39962634
An sql injection refers to the ability to insert anything to your database including code that can be harmful by updating your db with malicious code or even dropping tables.  

You should never accept data directly from a url, post, cookie ect without first scrubbing the data.
0
 

Author Comment

by:amstoots
ID: 39962644
Ok....so based on the error message I got... what I am not seeing in it..... not sure how the sql injection would work in this example...
0
 
LVL 53

Expert Comment

by:Scott Fell, EE MVE
ID: 39962678
That error looks like it is coming from your cgi script.   Your your includes, "search=%5c"  and %5c is a url encoded slash.  Seeing that along with the error, "syntax to use near ''\'".  This means you are accepting input without scrubbing it first and thus open to an sql injection.   Unless the cgi script is what caught the slash or is that your scanning software?
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 5

Expert Comment

by:Pasha Kravtsov
ID: 39962706
That is vulnerable to SQL injection and I recommend you make sure to fix it with proper sanitation.. don't forgot to also make sure the permissions of your sql user is not root otherwise attackers don't even have to use admin login etc to put a shell on your website. Easily doable with load_file() with root permissions.
0
 

Author Comment

by:amstoots
ID: 39962714
so If I plug in sql statement behind "search=%5c" its going to excite the sql injection w/o scrubbing it first..... could you give me and example ... so I can have better understanding.
0
 
LVL 5

Expert Comment

by:Pasha Kravtsov
ID: 39962724
So do this "search=+ORDER+BY+100--" see if it gives you an error if it does do this
"search=test+ORDER+BY+1--" and tell me if that gives you an error.
If you would like you can contact me by posting your email on my profile and I can contact you directly to help.
0
 
LVL 53

Expert Comment

by:Scott Fell, EE MVE
ID: 39962733
0
 
LVL 5

Expert Comment

by:Pasha Kravtsov
ID: 39962740
Ok whatever you do, don't use the ColdFusion server if you're going to use the markup language. Every version of ColdFusion has public 0day exploits and extremely easy to hack into.
0
 
LVL 53

Expert Comment

by:Scott Fell, EE MVE
ID: 39962750
My bad.... I thought that was the php article.
0
 

Author Comment

by:amstoots
ID: 39962760
I used the string and it didn't give me a error
0
 
LVL 5

Expert Comment

by:Pasha Kravtsov
ID: 39962773
It's a little difficult to help you sqli this over comments, just google how to or use this guide:  https://www.owasp.org/index.php/SQL_Injection
0
 
LVL 53

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 1000 total points
ID: 39962782
I use ms sql server with stored procedures and parameterized statements in addition to scrubbing data.    When you use a parameter statement, you are specifying the data type and length.  If you have a character field and you know you only need 10 characters, the parameter specifies that and anything over will error.  If you are expecting a date, and something comes in not as a date, it will throw an error (that you need to catch).  Same for  numbers.   This gives you several layers of protection.   I am not as familar with how it works in php/mysql http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php and perhaps Pasha can expand.  

This article goes into pdo and mysqli which is where this comes into play
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_686-PHP-Prevent-SQL-Injection.html

And some good tips from Ray  http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_12293-AntiPHPatterns-and-AntiPHPractices.html
0
 
LVL 5

Accepted Solution

by:
Pasha Kravtsov earned 1000 total points
ID: 39962796
I'm not too familiar with cgi at all.. I would just see if you can set up some input sanitation and hide your errors etc. http://www.elated.com/articles/form-validation-with-perl-and-cgi/
I'm not sure what you're running and what's going on in your server so you're going to have to figure that out for yourself unless you are able to give some more information about what you're running
0
 

Author Closing Comment

by:amstoots
ID: 39989897
Thanks for the help...
0

Featured Post

Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Containers like Docker and Rocket are getting more popular every day. In my conversations with customers, they consistently ask what containers are and how they can use them in their environment. If you’re as curious as most people, read on. . .
In this blog post, we’ll look at how ClickHouse performs in a general analytical workload using the star schema benchmark test.
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question