0

I'm working on identifying and fixing SQL injection holes. I've made the conversion to pdo/prepared statements in a number of places.

However, we have one page that looks like this:

www.site.com/domain/products/12345/description-of-the-product

In htaccess, this is rewritten to:

www.site.com/domain/product.php?id=12345

The htacess looks like this:

RewriteRule ^(.*)/products/([0-9]+)/([^/\.]+)/?$ /$1/product.php?id=$2 [L]

So, here's my question: Since the url is being rewritten with mod_rewrite, which is only matching against ingtegers, is this some protection against sql injections? If you try anything else in the URL besides an integer, the user just gets a 404 error since the page doesn't exist and the mod_rewrite didn't get activated?

Thanks in advance.

Kevin
  • 1,685
  • 7
  • 28
  • 55
  • are you sure you're talking about sql injection and not xss injections? Unless you have register globals active (which is from another millenium I'm afraid) there's no direct relationship between the uri and the sql engine. Are you parsing the id directly in the php? – Sebas May 29 '13 at 20:28
  • 1
    If i type in the address bar www.site.com/domain/product.php?id=12345'; DROP TABLE members; -- ? – claustrofob May 29 '13 at 20:31
  • @claustrofob it won't fire a rewrite rule? – Your Common Sense May 29 '13 at 20:56
  • @Your Common Sense i dont see a rule for this – claustrofob May 29 '13 at 20:58
  • People can still use the old url (product.php). Just use `$id = intval($_GET['id']);` or something. – Gerben May 31 '13 at 13:30

4 Answers4

0

No. Well actually, maybe, but the only functionality you should rely on to prevent injection should be properly escaped code, and if we're talking about SQL Injection that would be done through prepared statements. Even that may not be enough as the injection of the % character can cause problems.

You can use anything you want for validation, and the rewriting of the URL may be very nice, but this does not by any means allow you to leave out the step of escaping query parameters (hopefully through properly parameterized prepared statements).

Explosion Pills
  • 188,624
  • 52
  • 326
  • 405
0

No it does not because a malicious user could simply go to the URL

www.site.com/domain/product.php?id=123'; DROP TABLE products;

and bypass your mod_rewrite entirely. Although only integers will be rewritten, the URL that they are being rewritten to use is still live and accessible. Any time you are making an SQL query you should sanitize every input going into your query at that point using PDO etc.

Bad Wolf
  • 8,206
  • 4
  • 34
  • 44
0

No. It makes your URL cleaner, but it still sends text information that in some point of your PHP code can be sent to the database. So it needs to be secured.

You can do it by using mysqli_real_scape_string($_GET['id') or by using other methods mentioned in How can I prevent SQL injection in PHP?.

Community
  • 1
  • 1
zurfyx
  • 31,043
  • 20
  • 111
  • 145
0

Do not confuse input data validation and SQL formatting!

These two matter should never be intermixed.

Proper SQL formatting required not by whatever protection but by mere SQL syntax rules. And prepared statement is a tool that can guarantee a syntactically correct query. Yet it can do any good only if used consistently and unconditionally.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345