Sunday, 29 July 2018

php - would null byte injection affect me if I was using a $_GET variable to make MYSQL query?










Let's say I have a $_GET variable with the name "id". The $_GET variable is then used in a mysql query to retrieve some data like SELECT text FROM database WHERE id=$_GET['id'];
Would null byte injection in my $_GET variable affect me assuming I'm using common security functions like mysql_real_escape_string(), addslashes(), and strip_tags()?


Answer




Would null byte injection in my $_GET variable affect me assuming I'm using common security functions like mysql_real_escape_string(), addslashes(), and strip_tags()?




Probably not, but a much more simple injection would affect you. Try passing this as the GET parameter:



99999 OR id=0


and run it through the query you show above. It will allow injection of arbitrary SQL even when using mysql_real_escape_string.



Contrary to popular belief, mysql_real_escape_string() will not protect you if your value is not enclosed in quotes.



If querying for numeric values, either test whether it's a number before inserting the value into the string, or put the value into quotes:



 $id = mysql_real_escape_string($_GET["id"]);
$query = "SELECT text FROM database WHERE id='$id'";


addslashes and strip_tags have no value at all in this context. They only serve to break data, but they add no security when inserting stuff in a database. Just get rid of them. (strip_tags may be appropriate later when you output something on a HTML page.)


No comments:

Post a Comment

php - file_get_contents shows unexpected output while reading a file

I want to output an inline jpg image as a base64 encoded string, however when I do this : $contents = file_get_contents($filename); print ...