0

Please note, this is purely for educational purposes only and I ALWAYS protect my SQL queries no matter what they are used for, it would be a majorly bad idea not to! This question specifically focuses on $_GET requests and NOT $_POST requests.

So I have recently experienced a brute force attack on one of my accounts and thought it was probably for the best to check my scripts in case I had missed anything (Luckily the attack was unsuccessful).

I came across this script from one of my older accounts:

if(isset($_GET['del'])){
    $user_id = $_SESSION['userid'];
    $id_pho = $_GET['del'];
    $sql = "DELETE FROM new_user_favourites WHERE `user_id` = '$user_id' AND `photo_id` = '$id_pho'";
    $conn->query($sql);
}

I thought before I protected this script, that I would give it a bit of a test and found that even if I attempted to cause a problem to this script, using the URL, that the URL added encoded spaces %20 or speech marks %27 and these would not allow the script to process any further code?

For example, I tested:

mysite.co.uk?del='; UPDATE new_users SET account_type='1' WHERE email_address='test@test.com

Which should have sent:

$sql = "DELETE FROM new_user_favourites WHERE `user_id` = '' AND `photo_id` = ''; UPDATE new_users SET account_type='1' WHERE email_address='test@test.com'";

That would have given that user admin privileges to my site. Although because of the encoding, the result in the URL shows as:

mysite.co.uk?del=%27;%20UPDATE%20new_users%20SET%20account_type=%271%27%20WHERE%20email_address=%27test@test.com

And so the query would process like this, and fail:

$sql = "DELETE FROM new_user_favourites WHERE `user_id` = '' AND `photo_id` = '%27;%20UPDATE%20new_users%20SET%20account_type=%271%27%20WHERE%20email_address=%27test@test.com'";

Could this mean that my query is already protected from this kind of attack? Or is there a way around this for people who would wish to destroy my website? I've taken a look online for information about this but there doesn't seem to be anything?

Snappysites
  • 804
  • 1
  • 10
  • 41
  • 1
    you're protected **ONLY** because the underlying mysql plugin in PHP EXPLICITLY forbids executing more than one statement in a single `query()` call. You got lucky. But that's only **ONE** form of sql injection attack, and your system is gaping wide open to all of the other forms. – Marc B Oct 06 '16 at 18:15
  • Isn't that the main type of SQL injection that a novice would generally use? And from what you have said, the URL encoding isn't actually doing anything in this instance? – Snappysites Oct 06 '16 at 18:16
  • Use prepared, parameterized queries. – Charlotte Dunois Oct 06 '16 at 18:17
  • php auto decodes the url when building the superglobals. and consider all of the query types possible. what if your query was an "is this an administrator" query? `select * from users where username = $_GET['user']`, and you pass in `1 OR 1=1`?, now you're executing `username = 1 OR 1 = 1`, and suddenly everyone's an admin. – Marc B Oct 06 '16 at 18:18
  • 1
    Do **NOT** depend on being lucky as your security system. Just because this ONE query is (trivially) more difficult to exploit doesn't mean you're "safe". – Marc B Oct 06 '16 at 18:18
  • The request type makes **absolutely** no difference – Your Common Sense Oct 06 '16 at 18:43

0 Answers0