0

I have 2 questions about security in php,

First:
Is it possible to upload a file with sql injection? (access to load_file and INTO FILE is denied)

Second:
in PDO I need use PDO::quote method, is this method safe for injection?

Here is an example:

$check = "SELECT * FROM table_name WHERE username = ". $database->quote($this->username);
MrCode
  • 63,975
  • 10
  • 90
  • 112
  • If you use prepare with PDO then you won't have any injection problems as the query is ran sparate from the bindParams – Dave Jul 05 '13 at 10:19
  • I know , but i need to use quote –  Jul 05 '13 at 10:25
  • I don't understand the 1-st question. Give an example of an uploaded file, containing SQL injection. – user4035 Jul 05 '13 at 10:33
  • @user4035 my question is very simple , is it possible to upload php shell file with sql injection ? –  Jul 05 '13 at 10:35
  • @Ali And it still doesn't make much sense. SQL injection happens under one specific circumstance: when you concatenate values unchecked into SQL statements. Dunno what this has to do with file uploads. See [The Great Escapism (Or: What You Need To Know To Work With Text Within Text)](http://kunststube.net/escapism/) – deceze Jul 05 '13 at 10:55
  • @AliAkbar no, no you don't need to use quote at all. If you're already using PDO you may as well do it properly and prepare the queries – Dave Jul 05 '13 at 11:12
  • 1
    @deceze - MySql supports functions to load and to save files on the server (depending on the configurations). This can be used to place malicious code on the server and if you find a way to execute them, you can gain access to the server. An example you may find [here](http://kaoticcreations.blogspot.de/2011/08/sql-injection-how-to-use-load-file-into.html). – martinstoeckli Jul 05 '13 at 11:38
  • @martin So that sentence means *"is it possible to exploit an SQL injection vulnerability and use it to upload a file to the server"?* That would make more sense. Though I'm not sure why you'd worry about that particular case if you have injection vulnerabilities. :) – deceze Jul 05 '13 at 11:44
  • @deceze - Right, that's how i understand it, the mentioned `load_file` points in this direction. – martinstoeckli Jul 05 '13 at 11:46

3 Answers3

0

Is it possible to upload a file with sql injection? (access to load_file and INTO FILE is denied)

If all of the MySQL file i/o functions are disabled, then generally speaking no it is not possible to upload a file through an SQL Injection vulnerability alone. It may still be possible if there is some other code elsewhere that combined with the SQLi ultimately allows an attacker to "upload a file".

In PDO I need use quote method, is this method safe for injection?

As long as the character set is configured correctly, then PDO::quote is considered secure. As others have pointed out though, a Prepared Statement is preferred.

MrCode
  • 63,975
  • 10
  • 90
  • 112
0

Is it possible to upload a file with sql injection?

This site is for developers, not fraudsters I believe. And as a developer, I do not care of whatever injection variants at all. Even if this particular injection is no possible - a wide range of other injections makes you in no less danger.

The only thing a developer should know is how to properly format his query. Everything else is a useless rubbish. So, it's how to format an SQL query and how to make it properly and unconditionally is indeed what a developer ought to know.
But whatever injection types are none of his business.

The only thing a developer have to know on injections is that an improperly formatted query literal could be exploited.

in PDO I need use quote method

Nope, in PDO you need to use prepared statements instead.

is this method safe for injection?

Although the example you provided is quite safe (for the conventional encodings), the very approach is error-prone and may let you easily slip into injection. As long as formatting facility being alienable - there is still a high risk for it to be moved away from the query building and eventually be lost or improperly used.

The very benefit of a prepared statement is that it does formatting right in place, unconditionally.

Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • 1
    Security comes from understanding, simply following rules without knowing the threats is a bad motivation to write secure code. – martinstoeckli Jul 05 '13 at 11:43
  • ALL a developer should know is how to properly format their queries. Everything else is a useless rubbish. So, it's how to format an SQL query and how to make it properly and unconditionally is indeed what a developer ought to know and understand - I am not arguing that. But whatever injection types are none of his business. – Your Common Sense Jul 05 '13 at 11:58
-1

First: Is it possible to upload a file with sql injection? (access to load_file and INTO FILE is denied)

Yes it is always possible to upload such file but it is up to you if you check and escape the files that are stored before putting them to db in any format.

Second: in PDO I need use quote method, is this method safe for injection?

The best way to avoid SQL injections in PDO is to use prepared statements.

Check this topic which covers topic really well

When you bind param to your query you can specify type of it for example PDO::PARAM_STR or PDO::PARAM_INT. This will do proper escaping and you will be more secure against SQL INJECTION

Community
  • 1
  • 1
Robert
  • 19,800
  • 5
  • 55
  • 85