[nextpage title=”Data Manipulation”]
Some programmers trust that users will access a webpage the way the developer intended. What if the user tries to manipulate and change variables? What will happen? This is something you must test on your website.
This subject is better explained through examples. Let’s say you have an online store where the user can see his order through a link such as https://www.yoursite.com/orders.php?id=12345. What happens if the user tries to change his order number to a different number on the URL? Will he be able to see orders posted by other clients? In a well-designed script, the user will only be able to see his own orders, and give an error message if the user tries to manually manipulate the variable.
On another example, let’s say you have a website with a link such as https://www.yoursite.com/article.php?id=12345, which we assume displays article number 12345 from your database. What happens if the user tries to change the variable to a number of an article that does not exist? On a well-designed script, it will display an error message, whereas on a poorly designed script the page will be displayed with the text missing, which is not desirable.
And what happens if the user tries to manipulate the variable in a more drastic way? That is our next subject.
[nextpage title=”SQL Injection”]
SQL injection is a security flaw where the hacker is able to access your database by manipulating the script’s variables. This kind of access can be used to add new contents to your database, change the existing contents, to delete your database, or to gain access to your system’s control panel.
To understand how this is possible, let’s see the basics of how scripts get data from variables present on the URL and how the values from these variables can then be used to access the database.
Assuming you have an URL such as https://www.yoursite.com/article.php?id=12345, this means it will pass to the script “article.php” a variable named “id” with the value “12345.”
Now, inside this script, it will use this variable to access the database, using a query such as:
SELECT title,content FROM articles WHERE id=$id;
This query instructs the database to pull the contents of the rows “title” and “content” from the table “articles” where the “id” row equals to the value passed through the variable “$id”. Using the URL we gave as an example, with this query you will pull the title and contents of the article number 12345.
But, what if a hacker manipulates the value of the variable “$id?” If a hacker changes the URL to something like:
https://www.yoursite.com/article.php?id=12345;DELETE%20FROM%20articles
The query that will be sent to the database will be:
SELECT title,content FROM articles WHERE id=12345;DELETE FROM articles
And guess what? The table “articles” will be deleted.
The most common form of SQL injection is to gain access to the website’s control panel.
Assuming that the hacker found a login screen asking for a user and a password, and that the user name and password are inserted in a query such as:
SELECT * FROM users WHERE login= ‘$login ‘ AND password= ‘$password ‘;
Now, assume that the hacker simply typed in 1′ OR ‘1’ = ‘1 as login and 1’ OR ‘1’ = ‘1 as password. These values create the following query:
SELECT * FROM users WHERE login=’1′ OR ‘1’ = ‘1’ AND password= ‘1’ OR ‘1’ = ‘1’;
Because of the logic added (OR ‘1’=’1′), the query will always be executed regardless of the login and password entered, allowing the hacker to access the data or control panel that was supposedly protected with a password.
There are some basic procedures that protect scripts against SQL injections. Let’s talk about them.
[nextpage title=”Preventing SQL Injections”]
The best practice to prevent SQL injections is to validate and clean variables that are obtained through the script’s URL.
For example, if the script expects the variable to always be a number, we can easily add a command to only accept the variable if it is numeric. For example, in PHP we could have something like:
if (isset($_GET[‘id’])) {
$id=intval($_GET[‘id’]);
}
If (!$id) {
header( “HTTP/1.0 404 Not Found” );
exit();
}
The function “intval” will force the variable to be numeric, so if the hacker types in any command in the hopes of trying to perform an SQL injection, the command will simply be ignored and the script will terminate giving the error 404 (page not found).
If you are expecting the contents of the variable to be alphanumeric, you should have some form of validation, where only allowable values can be passed on. One simple way to do that is with “if” statements, where unknown values will simply be ignored and the code will not be run for unknown values.
As for the login/password situation described on the previous page, the basic idea is to escape the string, so single quote and double quote characters are preceded by a backslash and, therefore, ignored (the OR 1=1 will be now considered part of the login or password, and not a separate clause). In PHP, this could be accomplished with something like:
if (isset($_POST[‘login’])) {
$login=addslashes($_POST[‘login’]);
}
if (isset($POST[‘password’])) {
$password=addslashes($_POST[‘password’]);
}
Another important practice to prevent SQL injections is to use variables inside quotes in queries. For example, instead of:
SELECT title,content FROM articles WHERE id=$id;
Use:
SELECT title,content FROM articles WHERE id=’$id’;
In fact, if you do not do that, the hacker will be able to bypass the login and password by adding OR 1=1 to the password field even if you add the code to escape quotes.
There are several other ways to perform an SQL injection and also several other ways to prevent them. The goal of this tutorial was to get you acquainted with the problem to see if your website has this kind of vunerability, not to be a complete guide on the subject.
Leave a Reply