-----Original Message-----
From: John Madden [mailto:chiwawa999@yahoo.com]
Sent: Wednesday, January 18, 2006 3:14 PM
To: pen-test@securityfocus.com
Subject: PHP and MySQL
Hi,
I'm pentesting a web site and i get the following
error message while using a single quote: ex.
/confirm.php?conf='test123
Warning: mysql_fetch_row(): supplied argument is not a
valid MySQL result resource in /xx/xx/confirm.php on
line 5
I've looked up the error and attemped numerous
variations like '1==1; etc... but i always get the
same error.
As anyone been succesful in getting information this
way ? If so how?
And how do we fix this vulnerability ? Besides the PHP
code itself (sanitize user input), is it a PHP setting
(php.ini) ?
Thanks for your help
Based on the strings you used I don't think you'd be creating a valid
SQL query. Using '1==1 would result in a query like
SELECT stuff FROM table WHERE conf=''1==1
I don't believe MySQL allows == for comparison (standard SQL doesn't).
You should be using the urlecoded version of
' OR 1=1
Which would then provide you with
SELECT stuff FROM table WHERE conf='' OR 1=1
Additionally, it doesn't appear that the page is checking whether it has
gotten a result, i.e.,
$result = mysql_query( $sql, $conn );
# The result should be checked here but it isn't...
$row = mysql_fetch_row( $result );
...
Try using ' OR 1=1 and see if you still get an error. If so then you've
got a potential SQL injection.
There is no "vulnerability fix" in the php.ini which can be relied upon
to prevent SQL injection. Input validation is the answer. When I'm
working with MySQL and PHP I follow these rules:
1. I create a local (non-global) variable which holds the sanitized
version of the user's input:
# not a real PHP method, BTW, you have to make your own
$var = sanitize_data( $_POST['field'], $datatype )
or I use validation and error handling (if the data doesn't validate,
the code never executes a query):
if ( $_POST['field'] != sanitize_data( $_POST['field'], $datatype )
return FALSE; # or exit, or whatever
2. I use mysql_real_escape_string() on each variable being passed in a
query:
$sql = sprintf( "SELECT stuff FROM table WHERE this = '%s',
mysql_real_escape_string( $var )
);
3. I always attempt to handle every possible result of the query
including failure ( $result == FALSE ) and no rows returned by a SELECT
( mysql_num_rows( $result ) == 0 ). This denies error messages (which
should be turned off on a production system anyway using php.ini) to
attackers.
Derick Anderson
###########################################
This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
For more information, connect to http://www.f-secure.com/
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
