f6f50117da925a7d02a99ecb53577aa9 - Wrapsacks

stizzahaddockSoftware and s/w Development

Dec 14, 2013 (3 years and 10 months ago)

88 views

SQL Injection


What is sql injection?

SQL injection refers to the act of someone inserting a MySQL statement to be run on your
database without your knowledge. Injection usually occurs when you ask a user for input, like
their name, and instead of a name t
hey give you a MySQL statement that you will unknowingly
run on your database.

sql injection example

Below is a sample string that has been gathered from a normal user and a bad user trying to
use SQL Injection. We asked the users for their login, which wi
ll be used to run a SELECT
statement to get their information.

MySQL & PHP Code:


$name = "timmy";

$query = "SELECT * FROM customers WHERE username = '$name'";

echo "Normal: " . $query . "<br />";


$name_bad = "' OR 1'"
;

$query_bad = "SELECT * FROM custo
mers WHERE username = '$name_bad'";

echo "Injection: " . $query_bad;

Display:

Normal: SELECT * FROM customers WHERE username = 'timmy'

Injection: SELECT * FROM customers WHERE username = '' OR 1''

The normal query is no problem, as our MySQL statement will

just select everything from
customers that has a username equal to

timmy
.

However
, the injection attack has actually made our query behave differently than we
intended. By using a single quote (') they have ended the string part of our MySQL query



usernam
e = ' '

and then added on to our WHERE statement with an OR clause of 1 (always true).



username = ' '

OR 1

This OR clause of 1 will always be

true

and so

every single entry

in the "customers" table
would be selected by this statement!

more serious sql inje
ction attacks

Although the above example displayed a situation where an attacker could possibly get
access to a lot of information they shouldn't have, the attacks can be a lot worse. For example an
attacker could empty out a table by executing a
DELETE

st
atement.

MySQL & PHP Code:


$name_evil = "'; DELETE FROM customers WHERE 1 or username = '"
;

$query_evil = "SELECT * FROM customers WHERE username = '$name_evil'";

echo "Injection: " . $query_evil;


Display:

SELECT * FROM customers WHERE username = ' '; D
ELETE FROM customers WHERE 1 or
username = ' '

If you were run this query, then the injected DELETE statement would completely empty your
"customers" table. Now that you know this is a problem, how can you prevent it?

injection prevention
-

mysql_real_esca
pe_string()

Lucky for you, this problem has been known for a while and PHP has a specially
-
made
function to prevent these attacks. All you need to do is use the mouthful of a
function

mysql_real_escape_string
.

What

mysql_real_escape_string

does is take a s
tring that is going to be used in a MySQL
query and return the same string with all SQL Injection attempts safely escaped. Basically, it will
replace those troublesome quotes(') a user might enter with a MySQL
-
safe substitute, an
escaped quote
\
'.

Lets try

out this function on our two previous injection attacks and see how it works.

MySQL & PHP Code:

$name_bad = "' OR 1'";

$name_bad = mysql_real_escape_string($name_bad);

$query_bad = "SELECT * FROM customers WHERE username = '$name_bad'";

echo "Escaped Bad

Injection: <br />" . $query_bad . "<br />";

$name_evil = "'; DELETE FROM customers WHERE 1 or username = '";

$name_evil = mysql_real_escape_string($name_evil);

$query_evil = "SELECT * FROM customers WHERE username = '$name_evil'";

echo "Escaped Evil Inje
ction: <br />" . $query_evil;

Display:

Escaped Bad Injection:

SELECT * FROM customers WHERE username = '
\
' OR 1
\
''

Escaped Evil Injection:

SELECT * FROM customers WHERE username = '
\
'; DELETE FROM customers WHERE 1 or
username =
\
''




Web Services in PHP




Web services are application components



Web services communicate using open protocols



Web services are self
-
contained and self
-
describing



Web services can be discovered using UDDI



Web services can be used by other applications



XML is the basis for Web ser
vices

The basic Web services platform is XML + HTTP.

The HTTP protocol is the most used Internet protocol.

XML provides a language which can be used between different platforms and programming
languages and still express complex messages and functions.

Web

services platform elements:



SOAP (Simple Object Access Protocol)



UDDI (Universal Description, Discovery and Integration)



WSDL (Web Services Description Language)

SOAP

SOAP is a simple XML
-
based protocol to let applications exchange information over HTTP.

Or more simple: SOAP is a protocol for accessing a Web Service.



SOAP stands for Simple Object Access Protocol



SOAP is a communication protocol



SOAP is a format for sending messages



SOAP is designed to communicate via Internet



SOAP is platform independent



S
OAP is language independent



SOAP is based on XML



SOAP is simple and extensible



SOAP allows you to get around firewalls



SOAP is a W3C standard

WSDL

WSDL is an XML
-
based language for describing Web services and how to access them.



WSDL stands for Web Service
s Description Language



WSDL is based on XML



WSDL is used to describe Web services



WSDL is also used to locate Web services



WSDL is a W3C standard


UDDI

UDDI is a directory service where businesses can register and search for Web services.



UDDI stands for
Universal Description, Discovery and Integration



UDDI is a directory for storing information about web services



UDDI is a directory of web service interfaces described by WSDL



UDDI communicates via SOAP



UDDI is built into the Microsoft .NET platform


Memor
y management in PHP

Resource management is a crucial issue, especially in server software. One of the most valuable
resources is memory, and memory management should be handled with extreme care. Memory
management has been partially abstracted in Zend, and

you should stick to this abstraction for
obvious reasons: Due to the abstraction, Zend gets full control over all memory allocations. Zend
is able to determine whether a block is in use, automatically freeing unused blocks and blocks
with lost references,

and thus prevent memory leaks. The functions to be used are described in
the following table:

Function

Description

emalloc()

Serves as replacement for
malloc()
.

efree()

Serves as replacement for
free()
.

estrdup()

Serves as replacement for
strdup()
.

e
strndup()

Serves as replacement for
strndup()
. Faster than
estrdup()

and binary
-
safe. This is
the recommended function to use if you know the string length prior to duplicating it.

ecalloc()

Serves as replacement for
calloc()
.

erealloc()

Serves as replac
ement for
realloc()
.


emalloc()
,
estrdup()
,
estrndup()
,
ecalloc()
, and
erealloc()

allocate internal memory;
efree()

frees these previously allocated blocks. Memory handled by the
e*()

functions is considered local
to the current process and is discarded a
s soon as the script executed by this process is
terminated.