Saturday, July 31, 2010

Re: SQL injection (multiqueries sanitization?)

On Jul 30, 8:19 pm, Hugo M <ham1...@gmail.com> wrote:
> Hi! I have a question about Model->query and sql injection. I was
> trying to sql inject my own site to see vulnerabilities, and I got:
>
> Warning (512): SQL Error: 1064: You have an error in your SQL syntax;
> check the manual that corresponds to your MySQL server version for the
> right syntax to use near 'drop table users; select * from users WHERE
> id = 2' at line 1 [CORE/cake/libs/model/datasources/dbo_source.php,
> line 681]
>
> Query: UPDATE users SET score = score + 10; drop table users; select *
> from users WHERE id = 2

It's a fallacy that php+mysql is susceptible to multiple-query sql
injection http://php.net/manual/en/function.mysql-query.php

>
> That query works good when I do it from console!

Because the mysql cli, obviously, let's you run more than one query in
sequence.
>
> The real query is:
>
> Update users SET score = score + $param WHERE id = 2.

then try this

$param = '-100 WHERE id != 2 -- haha, everyone else loses 100 points
and everything after this gets ignored.';

>
> And $param is "10; drop table users; select * from users WHERE id = 2 ".
>
> I think cake is smart enough to cut somehow the params when they have
> a ';' inside, or something like that.

Nope, you're just doing it 'lucky'/doing it rong :).

>
> I thought this sql injection should work. I'm not happy, my system
> seems to be protected but I don't know why :S

Try this plugin https://addons.mozilla.org/en-US/firefox/addon/7597/
it'll give you some ideas if you log the queries that it executes/look
at the sort of thing it tries.

Obviously if you're /actually/ using query with user input (or update
all with user input in the where) instead of find/save/field etc.
you're completely unprotected and on your own as far as cake's
concerned - you need to escape user input.

hth,

AD

Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.

You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)