SQL injection testing errors

Question

I am testing my website for SQL injection issues and come across a couple that i cannot understand.

In basics, I am building a user blogging system.

I am using the SQL inject me firefox plugin and here are some errors I received:

"Error string found: 'Integrity constraint violation'"

"Server Status Code: 302 Moved Temporarily" - I think that is just because i redirect a user on error for a certain form

Overall i had no fails and passed 42,000 tests. However some of my database items are being effected.

Lets say I am echoing out the 'posts' from the database:

I have all the data, and then a hidden form which is used to edit the data. If the user is logged in then a button is shown where they can click and this form is shown.

Even if the user is not logged in, the SQL inject can modify posts.

In my processing page for updating posts i check for POST, and i also run a check again the post's username in the database and also the session username of a logged in (blank if not logged in) user. Yet this still allows changes to be made.

How can this be? And is displaying a form a "display:none" good enough?

@ryan all my form processing is done using bound queries and PDO. — Lovelock, Jan 14 '14 at 20:53
@jeroen - I think this is a little different because its asking about the testing and how the result was arrived; and not an injection or its prevention. — jww, Jan 15 '14 at 07:09

score 0 · Answer 1 · answered Jan 14 '14 at 21:15

You should check if the user is logged in (has a valid session) before inserting any data in the database; example code below :

In your login page, if the username/password is correct, execute this :

$_SESSION["logged_in"] = true;

That will make PHP "remember" that the current session cookie is valid and belongs to a valid user.

Whenever you need to change database contents, you can check :

if (isset($_SESSION["logged_in"]) && $_SESSION["logged_in"]) {
    // all good, user is logged in, you can change database contents
    mysqli_query("UPDATE ..."); // example query
} else {
    // something is wrong, the form is submitted without a valid session
    // so it's probably a malicious user, anyway don't change database contents
    echo "Access denied, please log in."; // display error message
    header("Location : /login.php"); // or redirect them to the login page
};

And is displaying a form a "display:none" good enough?

No; a malicious user can submit the form even if it's hidden (by making it visible using the developer tools or looking at the page source and writing a script that submits the form), actually that's exactly what your vulnerability checker extension is doing, it tries to submit forms even if they're hidden.

Ill look at improving the user check before inserting the data. Also how can i get around the form? i could use js to create the form i guess. — Lovelock, Jan 14 '14 at 21:28
Your form is fine as long as you check the user's session before inserting any data into the DB, and using Javascript as a "protection" is a bad idea; an attacker can easily bypass that. — , Jan 14 '14 at 21:31
sorry, i meant for displaying the form. If i create the form with js instead of having it echoed and shown as a hidden form. — Lovelock, Jan 14 '14 at 21:36
But still, it doesn't prevent an attacker from reading the JS and manually creating the form and then submitting it. I still don't know why you insist on obfuscating the form, just do a server-side check before inserting any data and that's it, no matter if your form is visible or not, the server won't change DB contents unless the user is logged in. — , Jan 14 '14 at 21:39

SQL injection testing errors

1 Answers1