Skip to main content

How to prevent mysql sleep injections?


Recently, we faced an issue with website which was developed around one year back. One hacker successfully tried to slow the website using sleep injection. Although we were using precautions like mysqli_real_escape_string() for escaping SQL string syntax correctly. Let’s see why this happened then and what are the solutions?

We were using following code to get product id passed through query string.

$id   = mysqli_real_escape_string($con , (isset($_REQUEST['id']) ? $_REQUEST['id'] : 0));
$qry = "Select * from products where id = ".$id;

but hacker tried to change the the query string as : 

?id=3 and sleep(4)

and query becomes

Select * from products where id = 3 and sleep(4);

And it started taking around 4+seconds to run the query. So in this way website become too slow.

We were trying to figure out the possible and the best solution.

After spending some time we noticed that although we were using mysqli_real_escape_string() function but we were not using it properly. Everytime we use mysqli_real_escap_string(), the returned string must be used with single quotes although it’s numeric or string. So quick solution for that problem was to change the query as :

$id   = mysqli_real_escape_string($con , (isset($_REQUEST['id']) ? $_REQUEST['id'] : 0));
$qry = "Select * from products where id = ‘".$id."";

It is a quick solution but not the best one.

We could have also checked if the input is numeric or not.

Note : For future reference I would like to say please don’t use mysql_ extensions anymore. mysql_ extension is deprecated as of PHP 5.5, and will be removed in future.

Use mysqli or PDO prepared statements. Best is PDO statements.

The internet (and many respectable CS courses) are littered with examples using mysql_query() and string concatenation, half of which train people to create SQLI bugs or don't explain why escaping is needed; it's too late to undo the damage already done but at least people new to PHP will hopefully be told now that there is a better way. Although we can’t say PDO is 100% not vulnerable to errors but we don’t need to use external functions to cover sql injections. So as a programmer I would suggest and request to all the developers community to use PDOs in future reference.

Reference :

http://php.net/book.pdo

Thanks!!!!!!!!!!!!!! Enjoy Programming :)


Labels:
Location: Chandigarh, India

Comments

Post a Comment

Thanks for your valuable comments.

Popular posts from this blog

Odoo/OpenERP: one2one relational field example

one2one relational field is deprecated in OpenERP version>5 but you can achieve the same using many2one relational field. You can achieve it in following two ways : 1) using many2one field in both the objects ( http://tutorialopenerp.wordpress.com/2014/04/23/one2one/ ) 2)  using inheritance by deligation You can easily find the first solution with little search over internet so let's start with 2nd solution. Scenario :  I want to create a one2one relation between two objects of openerp hr.employee and hr.employee.medical.details What I should do  i. Add _inherits section in hr_employee class ii. Add field medical_detail_id in hr_employee class class hr_employee(osv.osv):     _name = 'hr.employee'     _inherits = {' hr.employee.medical.details ': "medical_detail_id"}     _inherit = 'hr.employee'         _columns = {              'emp_code':fields.char('Employee Code', si
12 comments
Read more

How to draw Dynamic Line or Timeseries Chart in Java using jfreechart library?

Today we are going to write a code to draw a dynamic timeseries-cum-line chart in java.   The only difference between simple and dynamic chart is that a dynamic event is used to create a new series and update the graph. In out example we are using timer which automatically calls a funtion after every 1/4 th second and graph is updated with random data. Let's try with the code : Note : I had tried my best to provide complete documentation along with code. If at any time anyone have any doubt or question please post in comments section. DynamicLineAndTimeSeriesChart.java import java.awt.BorderLayout; import java.awt.Color; import java.awt.event.ActionEvent; import java.awt.event.ActionListener; import javax.swing.Timer; import javax.swing.JPanel; import org.jfree.chart.ChartFactory; import org.jfree.chart.ChartPanel; import org.jfree.chart.JFreeChart; import org.jfree.chart.axis.ValueAxis; import org.jfree.chart.plot.XYPlot; import
37 comments
Read more

pyodbc.OperationalError: ('08001', '[08001] [Microsoft][ODBC Driver 17 for SQL Server]

Recently, I faced this error in our Docker-Container environment. All the necessary packages were already installed but still, I was facing this clueless error. I search a bit and after an hour and so I found the exact reason and solution for this error. To know more about this error in detail. Please follow this Github thread. https://github.com/mkleehammer/pyodbc/issues/610 https://github.com/mkleehammer/pyodbc/issues/610#issuecomment-587523802 Solution: It's because the   server's certificate has too weak a key. In case you are using Linux env directly/not the Docker one.  Just edited /etc/ssl/openssl.cnf and change these 2 lines. MinProtocol = TLSv1.0 CipherString = DEFAULT@SECLEVEL=1 In case you are also using a container, please add these three lines to your Docker file. RUN chmod +rwx /etc/ssl/openssl.cnf RUN sed -i ' s/TLSv1.2/TLSv1/g ' /etc/ssl/openssl.cnf RUN sed -i ' s/SECLEVEL=2/SECLEVEL=1/g ' /etc/ssl/openssl.cnf Thanks!! Enjoy Programming! Refer
1 comment
Read more