Thread: SQL Injection Attack
View Single Post
Permalink
May 2nd, 2003
0

t rue...

Huge/Weird Values
Regarding the 99999.... query issue, the range for each of these types is listed:

SMALLINT: -32768 to 32767. The unsigned range is 0 to 65535.
MEDIUMINT: -8388608 to 8388607. The unsigned range is 0 to 16777215.
INT: -2147483648 to 2147483647. The unsigned range is 0 to 4294967295.
BIGINT: -9223372036854775808 to 9223372036854775807. The unsigned range is 0 to 18446744073709551615.

It should be noted, that only those "naughty" individuals will attempt something like the 9X100 ... and SQL will just replace extremely large values with the maximum number for that associated type. (IE ... Mr. Jon Goober submits 9999999999999999 into a column of type int, it will store it as "2147483647").

If you do not check for is_int() or is_numeric(), and the user submit a massive string filled with both numeric and alphanumberic values, a value of "0" will be stored.

Nested Queries

This has been an on-going security issue for years. One thing to note, on current releases of php the mysql_query() function will ONLY ALLOW YOU TO RUN 1 COMMAND.

For example, if your hard coded query runs a

"select * from users where id = '1' limit 1",

and the users manages to try and nest another query by using

"select * from users where id = '1' limit 1; delete from users where id = like '%'";

the query will fail. Try it ... you'll see what i mean. Now this applies only to the mysql_query() function. If you are running ';' on the actual mysql command line interface, it will work.

If security is important to you, then possibly a few of the following steps can help keep your database protected :

#1 Allow access to only localhost clients
#2 When using incremented IDs, add an additional id_encrypt column and store a unique md5() value which can be used inplace of the standard int for all queries.
#3 Passwords should ALWAYS be encrypted. Plain Text passwords should never be used.
#4 Think pro-actively when designing your client interface. Dont allow them to run direct queries ... the ONLY instance a client should be able to run a partial query would be when using a Search Engine. Make sure you check all incoming data for "nasty" submissions. All other database interaction should be through buttons, links and presented materials. Don't give them the chance to mess around.
#5 use = in place of the like. Like should only be used for search engines.
#6 When you design your table columns, don't make them easy and standard names. ID, Name, Address are easily guessed ... client_id, user_id, customer_name, x_name, z_name etc ... if they dont know the column names, its hard to delete the information!

Hope that helps!
Reputation Points: 10
Solved Threads: 1
Newbie Poster
Kristoff is offline Offline
4 posts
since May 2003