All geek questions in one place

SQL injection | Change ID Values

I am stuck in a problem with sql injection. My page displays the table data as follows:

<input type="checkbox" name="id[]" value="<?php echo $row['id']; ?>" /><?php echo $row['data']; ?><br />

How can I be sure that the value represented is the identifier of this particular string, and not the random number "entered" on the page?

Obviously, I would start checking that id returns true in is_numeric() / get it through mysql_real_escape_string().

Then I thought of two options:

  • Adding hidden input with a copy of $ row ['data'] so that I can check the correspondence between identifier and data before any mysql_query()

  • Changing the row id from a number with automatic addition to a large random number so that I can reduce the chance of a successful hit.

Do I have it wrong? Any better idea? Thanks for your help!

0
source share
1 answer

You can not. Both of your options are fundamentally wrong:

  • One that can change the value of a checkbox can very well change the hidden value of an input.
  • Your "random identifiers" can still be seen on Dev Tools , Firebug or a similar tool.

Instead of worrying about how the user sent the data, you should worry about whether the data is valid and whether the user has permission for this action.

Also, is_numeric not my favorite, as it will return true for hexadecimal and exponential notation. I would recommend checking with ctype_digit or just doing a cast (int) , for example:

 if (!isset($_POST['id'])) die('invalid data'); $id = (int) $_POST['id']; if ($id == 0) die('invalid id');

Non-numeric strings are converted to 0 , and auto-increment fields usually have 1 as the first value. In case 0 is a valid value, you need to configure the code above, for example:

 if (!isset($_POST['id']) || !ctype_digit($_POST['id'])) die('invalid data'); $id = (int) $_POST['id'];

Then check if the given identifier exists in your database. Follow the correct checks and make sure.

It does not matter how your server received the data, it is important that the data is valid and the user has permission to perform this operation. Everything that you do in the interface / interface can be easily changed and processed by a hacker or any experienced web developer.

Focus on restoring unauthorized access and maintaining database integrity. It doesn’t matter if a request is made from your page, from a modified page or through a terminal, all the headers and posted data can be easily reproduced to look like a request made from your page.

In the end, I'm not sure if you can call it "SQL Injection". Your application function needs some input that includes an integer value. Now it remains to verify whether the necessary input has been provided and whether it is valid. All user input should be considered unsafe and properly checked and shielded before inserting a request.

Also, check out PDO , which does a great job of aligning values. The mysql_* extension and mysql_real_escape_string are deprecated and error prone.

As for preventing SQL injection, the related thread in the question comments reads well.

+2
source

Source: https://habr.com/ru/post/1498535/

More articles:


All Articles