SQL Injection fix (mysql php5.1)
355 views
Skip to first unread message
mh
Aug 16, 2011, 11:29:28 AM8/16/11
to Php Object Generator
The following links to a zip file with modified object_factory files
(and a diff file) to prevent SQL injection when using mysql and php5.1
http://www.monkeyr.com/pog/sqlinjectionprotection(mysqlphp5.1)v1.zip
It does this using PDO::quote (http://php.net/manual/en/pdo.quote.php)
for all user defined data sent to the DB
mh
(and a diff file) to prevent SQL injection when using mysql and php5.1
http://www.monkeyr.com/pog/sqlinjectionprotection(mysqlphp5.1)v1.zip
It does this using PDO::quote (http://php.net/manual/en/pdo.quote.php)
for all user defined data sent to the DB
mh
Crispy
Aug 16, 2011, 11:42:08 PM8/16/11
to Php Object Generator
nice!
Message has been deleted
mh
Aug 18, 2011, 5:07:39 AM8/18/11
to Php Object Generator
v2 of the zip addresses a few issues left in v1
Saves and Gets are now done through prepared statements PDO::prepare
(http://www.php.net/manual/en/pdo.prepare.php)
All remaining quoted values used in GetList, Delete, DeleteList etc.
are done with PDO::quote (http://php.net/manual/en/pdo.quote.php)
Removal of the erroneous stripcslashes from Unescape method (slashes
are added to escape the string before entry to the DB, They're removed
during the insert to the DB, removing them again on extraction from
the DB will corrupt pre slashed data)
Connection is not repeatedly passed to DB functions. It's saved to
self::$connection on creation of the DB object
mh
http://www.monkeyr.com/pog/sqlinjectionprotection(mysqlphp5.1)v2.zip
Saves and Gets are now done through prepared statements PDO::prepare
(http://www.php.net/manual/en/pdo.prepare.php)
All remaining quoted values used in GetList, Delete, DeleteList etc.
are done with PDO::quote (http://php.net/manual/en/pdo.quote.php)
Removal of the erroneous stripcslashes from Unescape method (slashes
are added to escape the string before entry to the DB, They're removed
during the insert to the DB, removing them again on extraction from
the DB will corrupt pre slashed data)
Connection is not repeatedly passed to DB functions. It's saved to
self::$connection on creation of the DB object
mh
http://www.monkeyr.com/pog/sqlinjectionprotection(mysqlphp5.1)v2.zip
Nicholas Velloff
Aug 18, 2011, 12:47:56 PM8/18/11
to php-object...@googlegroups.com
Thanks for sharing this. I'll give it a shot. - nick
> --
> You received this message because you are subscribed to the Google Groups "Php Object Generator" group.
> To post to this group, send email to php-object...@googlegroups.com.
> To unsubscribe from this group, send email to php-object-gener...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/php-object-generator?hl=en.
>
Droope
Aug 19, 2011, 9:52:09 AM8/19/11
to Php Object Generator
Sorry, does this mean that i have a SQL injection in all the websites
i have used pog?
thanks.
Pedro
i have used pog?
thanks.
Pedro
mh
Aug 19, 2011, 12:49:42 PM8/19/11
to Php Object Generator
Sql injection is achievable if you don't sanitise date and numeric
inputs to your pog objects
For instance (this works on my setup. Magic_quotes:off, PHP 5.2.17,
MYSQL 5.0.92-community, full permissions for db user)
on a Save of my bike object my last field is a date field
if i set the date field equal to the value ');drop table bike;#
when its called it attempts to drop the table named bike
This works with or without db_encoding as dates and numbers are not
escaped before being sent to the db
Always sanitise your inputs and/or make sure the framework you're
using does it for you!
If you want to rebuild your objects with the fixes i've put in place
(MYSQL and PHP5.1+ only!!!)
you can use my setup at http://pog.monkeyr.com/
P.S. this hosted version is on my development server. No guarantees!
Setup your own server and apply the diff patch/overwrite the files
from the v2 zip if you have pobs with my implementation
P.P.S. Hopefully the devs will address these issues in later versions
of POG. Not flaming just trying to help! Honest ;)
mh
inputs to your pog objects
For instance (this works on my setup. Magic_quotes:off, PHP 5.2.17,
MYSQL 5.0.92-community, full permissions for db user)
on a Save of my bike object my last field is a date field
if i set the date field equal to the value ');drop table bike;#
when its called it attempts to drop the table named bike
This works with or without db_encoding as dates and numbers are not
escaped before being sent to the db
Always sanitise your inputs and/or make sure the framework you're
using does it for you!
If you want to rebuild your objects with the fixes i've put in place
(MYSQL and PHP5.1+ only!!!)
you can use my setup at http://pog.monkeyr.com/
P.S. this hosted version is on my development server. No guarantees!
Setup your own server and apply the diff patch/overwrite the files
from the v2 zip if you have pobs with my implementation
P.P.S. Hopefully the devs will address these issues in later versions
of POG. Not flaming just trying to help! Honest ;)
mh
Nicholas Velloff
Aug 19, 2011, 1:26:54 PM8/19/11
to php-object...@googlegroups.com
I was wondering how difficult it was to get this up and running on your system? Did you run into a bunch of gotchas, or was it fairly strait forward?
I need to do this as well on my dev server but i'm concerned about setup issues. Guess I'll give it a shot today and see how far I get.
I need to do this as well on my dev server but i'm concerned about setup issues. Guess I'll give it a shot today and see how far I get.
PHP Version 5.3.2
Apache/2.2.14 (Ubuntu)
mySQL 5.1.41
Crispy
Aug 20, 2011, 3:07:50 AM8/20/11
to Php Object Generator
Not exactly.
I'm not sure about PDO, but if you use the POG version of the database
wrapper, it uses mysql_query which does not support multiple queries
as described... so the example of a trailing 'drop table' will not
fly. I haven't tested this type of injection with the PDO wrapper, I
suppose we should. But mh strongly suggests that this is the case.
the PDO->quote patch will fix a bunch of these issues with the PDO
database wrapper... nice work BTW.
unfortunately, the PDO->quote patch will require regenerating all your
objects, so it is a major change. The big difference is that PDO-
>Quote adds single quotes to the beginning and end if I recall. hmm.
That gives me an idea.
perhaps in class.pog_base.php just replace the escape function with
this:
public function Escape($text)
{
if ($GLOBALS['configuration']['db_encoding'] && !is_numeric($text))
{
return base64_encode($text);
}
$databaseConnection = Database::Connect();
return trim($databaseConnection->quote($text),"'");
}
and I think you will gain most of the benefits of the patch without
the need of regenerating.
I did a quick manual test and it seems good.
ymmv
:)
I'm not sure about PDO, but if you use the POG version of the database
wrapper, it uses mysql_query which does not support multiple queries
as described... so the example of a trailing 'drop table' will not
fly. I haven't tested this type of injection with the PDO wrapper, I
suppose we should. But mh strongly suggests that this is the case.
the PDO->quote patch will fix a bunch of these issues with the PDO
database wrapper... nice work BTW.
unfortunately, the PDO->quote patch will require regenerating all your
objects, so it is a major change. The big difference is that PDO-
>Quote adds single quotes to the beginning and end if I recall. hmm.
That gives me an idea.
perhaps in class.pog_base.php just replace the escape function with
this:
public function Escape($text)
{
if ($GLOBALS['configuration']['db_encoding'] && !is_numeric($text))
{
return base64_encode($text);
}
$databaseConnection = Database::Connect();
return trim($databaseConnection->quote($text),"'");
}
and I think you will gain most of the benefits of the patch without
the need of regenerating.
I did a quick manual test and it seems good.
ymmv
:)
Nicholas Velloff
Aug 20, 2011, 3:36:36 AM8/20/11
to php-object...@googlegroups.com
I just set up POG on my development server. I regenerated all of my objects and it all seemed fine. When I tried to "POG me up" I received:
Fatal error: Call to undefined method Database::InsertOrUpdatePrepared() in/Users/nick/github/WeegoAPI/objects/class.altemail.php on line 208
Any idea what may have gone wrong?
Thanks!
Nick
mh
Aug 20, 2011, 8:19:00 AM8/20/11
to Php Object Generator
Just done a bit of digging and it seems you can turn off PDO's
multiple query capability by setting the connection object attribute
ATTR_EMULATE_PREPARES to false
This is a one shot quick fix that I've not extensively tested it but
it seems to work to stop multiple queries being passed to the db i.e.
stops SQL injection in my example above.
The file you need to edit is objects/class.database.php
After line 22 add the following line of code
$this->connection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
As the POG setup diagnostics use this db connection to do all the
table creation and testing i can only assume that this hasn't broken
anything
mh
multiple query capability by setting the connection object attribute
ATTR_EMULATE_PREPARES to false
This is a one shot quick fix that I've not extensively tested it but
it seems to work to stop multiple queries being passed to the db i.e.
stops SQL injection in my example above.
The file you need to edit is objects/class.database.php
After line 22 add the following line of code
$this->connection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
As the POG setup diagnostics use this db connection to do all the
table creation and testing i can only assume that this hasn't broken
anything
mh
Nicholas Velloff
Aug 20, 2011, 6:51:26 PM8/20/11
to php-object...@googlegroups.com
Still getting all kinds of craziness with my generated code.
Fatal error: Call to undefined method Database::InsertOrUpdatePrepared() in/project/objects/class.testobj.php on line 196
I'm pretty stuck at this point...
Any ideas?
Joel
Aug 20, 2011, 7:34:10 PM8/20/11
to Php Object Generator
Is this straight up generated code or third party code provided above?
On Aug 20, 4:51 pm, Nicholas Velloff <n...@unitedweego.com> wrote:
> Still getting all kinds of craziness with my generated code.http://pog.weegoapp.com
On Aug 20, 4:51 pm, Nicholas Velloff <n...@unitedweego.com> wrote:
> Still getting all kinds of craziness with my generated code.http://pog.weegoapp.com
mh
Aug 20, 2011, 7:55:53 PM8/20/11
to Php Object Generator
Most humble apologies!
the class.database.php5.1.php file in the v2 zip was an older version.
Missing a function
v3 can be found here http://www.monkeyr.com/pog/sqlinjectionprotection(mysqlphp5.1)v3.zip
mh
On Aug 20, 11:51 pm, Nicholas Velloff <n...@unitedweego.com> wrote:
> Still getting all kinds of craziness with my generated code.http://pog.weegoapp.com
the class.database.php5.1.php file in the v2 zip was an older version.
Missing a function
v3 can be found here http://www.monkeyr.com/pog/sqlinjectionprotection(mysqlphp5.1)v3.zip
mh
On Aug 20, 11:51 pm, Nicholas Velloff <n...@unitedweego.com> wrote:
> Still getting all kinds of craziness with my generated code.http://pog.weegoapp.com
Reply all
Reply to author
Forward
0 new messages