1

I'm looking at some old PHP code, trying to figure out if it's vulnerable to SQL injection. My boss believes it's safe, but I'm hesitant to accept that. It's using an Oracle DB.

It's old code, and the query is being built via string concatenation (sprintf). However, the user input string has all hyphens and spaces removed (via str_replace), and addslashes() is called on it. Is there still any threat of an attack in this case? Can you give an example?

Since the code was written we have moved to using parametrized queries, so ideally we update it to that, but I'm trying to prove the need to do so.

britter
  • 141
  • 2
  • 11
  • No, that does not sound very safe. Tell your boss that it is not secure. If he refuses to listen then maybe try to get other employees on your side. If that does not work then let him sleep in his own bed. If your servers are breached then laugh in his face, and tell him that you told him so. – Sverri M. Olsen May 11 '15 at 14:19

1 Answers1

2

There are some examples of how to inject attack something using addslashes here:

If that little lot does not convince the boss then maybe set up on a test server and create a POC injection against the code using what is explained in the above links to give a demonstration of an attack. A drop tables is quite dramatic as is tricking the script into spewing out the DB contents onto the page.

Community
  • 1
  • 1
Matthew Brown aka Lord Matt
  • 2,298
  • 1
  • 27
  • 40