I've seen the following code:
$id = $_GET["user"];
$auth = $_GET["id"];
$sql = 'DELETE FROM categories where user_id = '.$id.' and category_id = '.$auth;
Yii::app()->db->createCommand($sql)->execute();
I've been told that this code isn't ok, because it couldn't allow sql injection.
Is it because of the $_GET not being properly filtered ?
Wouldn't the Yii::app()->db->createCommand($sql)->execute(); avoid that ?
Or when we arrive there, we should already check the data that is placed on the where clause ?
The first rule of data security for Web application is to never "trust" GET/POST parameters.
Your code is not attempting to "sanitize" the two GET parameters which your are building an SQL statement with. This means someone can manipulate the URL to "inject" a second (or more) SQL statement into what your are executing. The best way to avoid SQL injection attacks is to use queries that "bind" their parameters thus ensuring you can only be running a single query. The yii documentation on how to use bound parameters is available at the following URL (item #5)
http://www.yiiframework.com/doc/guide/1.1/en/database.dao
Related
What does "= :" mean in SQL or DQL?
Thanks!
That is a reference to parameter binding in DQL.
http://docs.doctrine-project.org/projects/doctrine-orm/en/latest/reference/query-builder.html#binding-parameters-to-your-query
Note that numeric placeholders start with a ? followed by a number while the named placeholders start with a : followed by a string.
you must then set your parameter with a ->setParameter() method.
$qb->select('u')
->from('User', 'u')
->where('u.id = :identifier')
->orderBy('u.name', 'ASC')
->setParameter('identifier', 100); // Sets :identifier to 100, and thus we will fetch a user with u.id = 100
This is good practice when using Doctrine because it is much more secure and prevent SQL Injection.
I found this response very helpful
How to write join query in Volusion API
What I'm looking for is a way to add my own .SQL and .XSD files to the /vspfiles/schema/Generic folder and be able to pass parameters to it. Does anyone know if that's possible.
A very basic example of the SQL would be something like this...
select * from Orders where order_id = "-ORDERID-"
...and I'd be able to pass in the "-ORDERID-" as a variable.
Or even better the SQL file would just be this "-SQL-" and I could pass in the entire SQL string myself. Thanks!
Thanks user357034 for getting me here (I'd "up" your answer but I'm new and don't have any reputation). I wanted to post the code I used in case others run into this. And also get any feedback if you see anything that looks goofy here.
First, I created an ASP file like so
Dim orderid
Dim status
orderid = Request.QueryString("orderid")
status = Request.QueryString("status")
sql = " update Orders " & _
" set OrderStatus = '" + status + "' " & _
" where Orderid in (" + orderid + ") " ;
set fs=Server.CreateObject("Scripting.FileSystemObject")
set f=fs.OpenTextFile(Server.MapPath("./MY_FILE.sql"),2,true)
f.WriteLine(sql)
f.Close
set f=Nothing
set fs=Nothing
I FTPed that up to the "generic" folder on Volusion.
Next, in PHP, I call this file, similar to this...
$asp = file("http://MY_SITE/v/vspfiles/schema/generic/MY_FILE.asp?
orderid=11,12&status=Processing");
foreach ( $asp as $line )
{
echo ($line);
}
NOTE: I already FTPed an XSD file to the same folder with the same name, like MY_FILE.xsd.
And finally, I make a web service call to my service, like this...
$url = "http://MY_SITE/net/WebService.aspx?
Login=XXXX&EncryptedPassword=YYYYY&API_Name=Generic\MY_FILE"
Works great. I go into the Volusion admin site, look at the Orders 11 and 12, and they were updated. I'm using this method for several areas in Volusion where their API is lacking. Thanks!
While technically one could pass in text comprised of a complete SQL query, however I would strongly caution against such practice as it would open up your site to malicious activity and/or possible security issues. I would limit the scope to a specific query and only allow one or more parameters to be used.
To accomplish this you have to create an custom ASP page in Volusion that would gather the parameters from the user, in your case "order id" and then insert them into the set SQL query, write that SQL query as a text file to the server in the correct location as shown in https://stackoverflow.com/a/29134928/357034 and then execute the query. All this is done in the custom ASP page.
UPDATE: If you just want a simple order id query with all fields returned you don't even have to use the the SQL method as Volusion already has a built in method to return this data. You just have to use a custom ASP page to insert the order id parameter and then execute the URL with the parameter attached. In your ASP page you would insert the order id in place of the xxxxx
http://www.yoursiteurl.com/net/WebService.aspx?Login=name#yoursiteurl.com&EncryptedPassword=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxC&EDI_Name=Generic\Orders&SELECT_Columns=*&WHERE_Column=o.OrderID&WHERE_Value=xxxxx
I am trying to avoid a sql injection. This topic has been dealt with in Java (How to prevent query injection on Google Big Query) and Php.
How is this accomplished in App Scripts? I did not find how to add a parameter to a SQL statement. Here is what I had hoped to do:
var sql = 'SELECT [row],etext,ftext FROM [hcd.hdctext] WHERE (REGEXP_MATCH(etext, esearch = ?) AND REGEXP_MATCH(ftext, fsearch = ?));';
var queryResults;
var resource = {
query: sql,
timeoutMs: 1000,
esearch='r"[^a-zA-z]comfortable"',
fsearch='r"[a-z,A-z]confortable"'
};
queryResults = BigQuery.Jobs.query(resource,projectNumber);
And then have esearch and fsearch filled in with the values (which could be set elsewhere).
That does not work, according to the doc.
Any suggestions on how to get a parameter in an SQL query? (I could not find a setString function...)
Thanks!
Unfortunately, BigQuery doesn't support this type of parameter substitution. It is on our list of features to consider, and I'll bump the priority since it seems like this is a common request.
The only suggestion that I can make in the mean time is that if you are building query strings by hand, you will need to make sure you escape them carefully (which is a non-trivial operation).
I want to understand why its not possible to inject sql statements in the form POST parameters. I tried it with sqlmap and manually without success.
There is a defined function:
function mysql_get_result($sQuery, $hSocket) //$sQuery: mysql query,
$hSocket:MySQLSocket(mysql_connect).
{
$sResource = mysql_query($sQuery, $hSocket);
list($sValue) = mysql_fetch_row($sResource);
return $sValue;
}
and there is the actual query for the POST parameter:
(mysql_get_result("SELECT place FROM towns
WHERE place = '".$sR_place."' AND num = '".$iR_num."'", $hMySQLSocket)
== $sR_place and $sR_place != '')
No input sanitiazion at all. So why isnt it working ? Does sql injection only work when its mysql_query function without more steps to do?
Your code should vulnerable to SQL injection, since you're not sanitizing with mysql_real_escape_string, or parameterizing the query.
You should try revising your POST parameters, because the issue is most likely that your attack isn't properly formatted. Try a variety of attacks.
I have this site with the following parameters:
http://www.example.com.com/pagination.php?page=4&order=comment_time&sc=desc
I use the values of each of the parameters as a value in a SQL query.
I am trying to test my application and ultimately hack my own application for learning purposes.
I'm trying to inject this statement:
http://www.example.com.com/pagination.php?page=4&order=comment_time&sc=desc' or 1=1 --
But It fails, and MySQL says this:
Warning: mysql_fetch_assoc() expects parameter 1 to be resource,
boolean given in /home/dir/public_html/pagination.php on line 132
Is my application completely free from SQL injection, or is it still possible?
EDIT: Is it possible for me to find a valid sql injection statement to input into one of the parameters of the URL?
The application secured from sql injection never produces invalid queries.
So obviously you still have some issues.
Well-written application for any input produces valid and expected output.
That's completely vulnerable, and the fact that you can cause a syntax error proves it.
There is no function to escape column names or order by directions. Those functions do not exist because it is bad style to expose the DB logic directly in the URL, because it makes the URLs dependent on changes to your database logic.
I'd suggest something like an array mapping the "order" parameter values to column names:
$order_cols = array(
'time' => 'comment_time',
'popular' => 'comment_score',
... and so on ...
);
if (!isset($order_cols[$_GET['order'])) {
$_GET['order'] = 'time';
}
$order = $order_cols[$_GET['order']];
Restrict "sc" manually:
if ($_GET['sc'] == 'asc' || $_GET['sc'] == 'desc') {
$order .= ' ' . $_GET['sc'];
} else {
$order .= ' desc';
}
Then you're guaranteed safe to append that to the query, and the URL is not tied to the DB implementation.
I'm not 100% certain, but I'd say it still seems vulnerable to me -- the fact that it's accepting the single-quote (') as a delimiter and then generating an error off the subsequent injected code says to me that it's passing things it shouldn't on to MySQL.
Any data that could possibly be taken from somewhere other than your application itself should go through mysql_real_escape_string() first. This way the whole ' or 1=1 part gets passed as a value to MySQL... unless you're passing "sc" straight through for the sort order, such as
$sql = "SELECT * FROM foo WHERE page='{$_REQUEST['page']}' ORDER BY data {$_REQUEST['sc']}";
... which you also shouldn't be doing. Try something along these lines:
$page = mysql_real_escape_string($_REQUEST['page']);
if ($_REQUEST['sc'] == "desc")
$sortorder = "DESC";
else
$sortorder = "ASC";
$sql = "SELECT * FROM foo WHERE page='{$page}' ORDER BY data {$sortorder}";
I still couldn't say it's TOTALLY injection-proof, but it's definitely more robust.
I am assuming that your generated query does something like
select <some number of fields>
from <some table>
where sc=desc
order by comment_time
Now, if I were to attack the order by statement instead of the WHERE, I might be able to get some results... Imagine I added the following
comment_time; select top 5 * from sysobjects
the query being returned to your front end would be the top 5 rows from sysobjects, rather than the query you try to generated (depending a lot on the front end)...
It really depends on how PHP validates those arguments. If MySQL is giving you a warning, it means that a hacker already passes through your first line of defence, which is your PHP script.
Use if(!preg_match('/^regex_pattern$/', $your_input)) to filter all your inputs before passing them to MySQL.