0

We have been working on a user registration system and it seems to be working rather well. The only thing is in initial testing we were able to get the common SQL injection string '1==1' into the database under one of the data fields. This is concerning from a development standpoint as it's one of the "forbidden strings" that should never get within 16 miles of a DB. The following code is what we are working with...

$query = $handler->query("INSERT INTO users (`username`,`password`,`first_name`,`last_name`,`email`,`IP_check`,`other_ip`,`rescue_email`,`proxy_flag`) 
VALUES ('$UN','$password','$first','$last','$res_email','$IP_check','$other_IP','$res_email','$proxy_flag')");

where each of the strings is escaped with 

$first = mysqli_real_escape_string($connect, $_POST['first_name']);

across all form values where $connect is a msqli instance defined in an include file, and the handler is a PDO database object initialized to work with the user database.

The data all gets to the table as we expect, but when we tried using the string '1==1' in one of the fields it passed to the database as is. Does this pose a valid SQL injection vector? On the sign in side it is more prominent to use the 1==1 and other vectors, but what we aren't sure of is whether or not getting a malicious string into the database poses an attack vector as well.

Andrew L
  • 141
  • 9
  • "when we tried using the string '1==1' in one of the fields it passed to the database as is." — What does that mean? Did you insert that data into the database? Did you perform a comparison and use that comparison to manipulate the data (that statement doesn't look like you could do anything with just that string). – Quentin Jul 04 '15 at 07:22
  • 3
    It is only considered a SQL injection if you were [able to modify the intend of the SQL code](https://cwe.mitre.org/data/definitions/89.html), i. e., change its intended behavior by modifying its syntax. – Gumbo Jul 04 '15 at 07:27
  • 3
    So, what, you tried to insert the string "1==1" into the database and **it actually got saved to the database, just as you requested, without any weird side effects**?! Then you're doing SQL injection protection properly. SQL injection protection doesn't mean that those strings *can't* get inserted into the database; on the contrary, it makes sure that they *are* inserted correctly. – deceze Jul 04 '15 at 07:29
  • Working as intended. – Francesco de Guytenaere Jul 04 '15 at 08:01
  • Thanks for all the comments everyone! For clarification to anyone looking at this later down the road, when I said 1==1 gets passed as is, it means that the actual string 1==1 gets put into the database "as is". That is to say it literally says 1==1 in the data field on the database end. – Andrew L Jul 04 '15 at 13:03
  • Then that's exactly what's expected of a database and escaping. – deceze Jul 04 '15 at 15:15

1 Answers1

-1

Using only mysqli_real_escape_string() isn't sufficient enough to protect your database from malicious user input.

See here for an example of a payload which works through real_escape_string: SQL injection that gets around mysql_real_escape_string()

One thing I tend to do is multiple layers of filtering. If I'm expecting a username, then I will force only Alpha-Numeric characters, you can use regex to make your own custom filters. Another nice example is of people encoding HTML Characters (e.g. changing the copyright symbol to © or & to &) basically, you want to ensure your input is filtered in such a way to prevent any possibility of code (sql or otherwise) from being executed unless you want it to.

Note: I understand the above article links to mysql_real_escape_string() however it is applicable to mysqli_real_escape_string()

Community
  • 1
  • 1
CowgirlNinjaFlogger
  • 1
  • 2
  • 2
    It *is* enough *if* done properly. There are some pitfalls, but nothing which isn't under your control. – deceze Jul 04 '15 at 07:54
  • Thanks so much for the feedback! I have looked at Regex and used it for password and never considered using for other types of data. Will certainly look into that. – Andrew L Jul 04 '15 at 13:00