Some SQL Injection basic concept questions

Hello there, this is my first post (and I’m sure you would have figured that out in short order :wink:

In the below example I understand that the '_SERVER[‘PATH_INFO’ line just removes all slashes in the load Path of the Server and doesn’t really relate to any SQL injection.

I see that the real concern is that a malicious person may be able to modify the content of the server variable, and in that case, because in the second line there is no filtering of the data in the use of the $_Get[‘id’], which is just a string, that it may contain just about anything.

So, if a bad actor puts “‘myfilename’; drop Database;” into $_SERVER[‘PATHINFO’], he/she may be able to delete the entire Database of the Server.

So… here are my 2 questions:

  1. Why do we even need have the load Path of the Server there? If a form is always referencing a particular database somewhere, shouldn’t that info be static in some private file?

  2. In reading about this class of exploit, there seem to be two basic ways to resolve this:

Via a bit of code that (I presume) basically says, “I as the designer, expect to see only the number 0-9 inputted, test for this, and disallow everything else” [aka “Input Validation with a Whitelist”]

Or, via a code function that says “filter/exclude input content of the following type, semicolons, negative numbers, etc” [Using Parameterized Queries]

Assuming the only legal permissible input is 0-9… Can someone show me examples of these two functions please?

Finally I’ve seen referenced a PHP library call that achieves some or all of the above, vis-a-vis filtering. How commonly used is that?

            include_once "lib/db.php";
            include "lib/sql_form.php";
            if(!$_GET['id'])
    $_GET['id'] = str_replace("/", "", $_SERVER['PATH_INFO']);
            $query = "SELECT * FROM listings WHERE id = ".$_GET['id'];
            $result = mysql_query($query);

Thank you so much, I appreciate any insight anyone has.

parameterized queries isnt filtering, it basically just submits the db query string and the parameters separately, in turn the db server knows it should not in any circumstance treat anything in the parameters array as query language. this effectively defeats all forms of sql injection, just make sure you dont just emulate prepares, and use a proper charset.

1 Like

Just use prepared/parameterized queries, with a place-holder in the sql query statement for each value, then supply the data when the query gets executed.

Your example uses the old, obsolete, and now removed from php, mysql_ extension. A huge amount of often insecure code was needed to protect against sql special characters breaking the sql query syntax, for each different data type. Since this extension is no longer in php, you will need to use one of the replacements. The PDO extension is the simplest and best choice, even if all you are doing is converting older mysql_ based code.

With prepared queries, this all goes away. Your application just needs to validate that the data meets the requirements of the application. Prepared queries also simplify the sql query syntax, since the php variables and any single-quotes, concatenation dots, and {} around the variable are all removed and replace with a simple ? place-holder.

1 Like

JimL and phdr, thank you both. I appreciate it.

Sponsor our Newsletter | Privacy Policy | Terms of Service