Injections

ArmyNation_Net

How Do I Stop UNION Injections? They Are Really Pissing Me Off.

Sxooter

Do you mean someone is injecting a union into a query on your box? Or something else?

To stop injections, use the magic_quotes_gpc setting in php.ini to make all input automatically be escaped before it gets to your PHP script.

Otherwise, I'm not sure what you're asking.

ArmyNation_Net

Yes Thats What Im Asking.. But Wheres PHP.INI?

Sxooter

It's a file that the php interpreter reads on startup that tells it how to operate (i.e. in safe mode, etc...)

On unix boxen it's usually in /usr/local/lib/php.ini but you might have to copy the one from the source directory out there. I'm not sure where it goes on windows boxen, if that's what you're on.

ArmyNation_Net

I Think Im On Unix, But I Know Nothing About PHP.INI, Nor Can I Find It. Is There Something I Can Put In My Scripts For It?

Im Sorry If I Sound Like a Newb. But I Just Found Out About This Stupid Garbage.

Sxooter

Nothing to apologize for. Do you have root access to your box or is someone else adminning it for you? If you have root access, and it' a linux or bsd box, try

locate php.ini

to see where it is, if it's there

If all you find is:
./usr/local/src/php-5.0.3/php.ini-dist

then copy that file to /usr/local/lib/php.ini. IF it's an RPM install, I'm not sure where it goes, but it should already be somewhere, probably in /etc or something like it.

cheese

OK, can I sound more stupid then......

What is a UNION injection ?????

How worried should we be ?????

Cheers,

Neil.

planetsim

Databases arent my thing Sxooter Im sure will give a better explaination.

UNION basically allows you to join a query within a query. One can do this in an Injection (SQL Injection)

e.g.

index.php?id=51' OR 1=1

Thats an extremely basic example, it doesnt use UNION. An even more basic attack would be to have just a single quote and hope for a Database Error message which will give a little insight on Database (e.g MySQL), a small glimpse of what the table looks like. If that happens a user could than do anything from List Tables in the Database, Delete Tables.

Also if you can turn magic_quote_gpc On try just using addslashes(); instead. Of course you should detect if magic_quote_gpc is On before doing so.

stew

hey there guys...

im also trying to protect against SQL injections so far ive come up with:

$expr = array ("/--/","/1\=1/","/$' or/","/$' Or/","/$' oR/","/$' OR/");
      if(pre_match($expr,$sql_statement))
        die;

to prevent dangerous sql statements being executed... I know that the this doesn't protect against union injections, but the it would be easy enough to alter.

Question: is there any other types of sql injection attacks that i should be aware of?

maxpup979

they can take on a ton of different forms. I have always found that trying to filter out the assorted types of SQL injections is a losing battle. As sxooter said, turn on magic quotes. You can also help mitigate things by using stored procs (keeps permissions sane), validating your data properly, and also using magic quotes. these things should take care of most if not all of them.

Sxooter

There are two competing philosophies here.

On assumes that it's possible to come up with all the scenarios and test for them. This method will not work in the long run. The second way to look at this is that there are certain basic mechanisms that allow injection, and you need to disable them. Magic_Quote_GPC takes away the method by which all injection attacks work. So, when someone thinks up a new method, you're already protected.

csn

stew wrote:
hey there guys...

im also trying to protect against SQL injections so far ive come up with:
$expr = array ("/--/","/1\=1/","/$' or/","/$' Or/","/$' oR/","/$' OR/");
      if(pre_match($expr,$sql_statement))
        die;
to prevent dangerous sql statements being executed... I know that the this doesn't protect against union injections, but the it would be easy enough to alter.

Question: is there any other types of sql injection attacks that i should be aware of?

Don't reinvent the wheel - use pg|mysql_escape_string(). Or if you're expecting numbers, make sure to cast them before sending them to the database.

ArmyNation_Net

I found the solution to this awhile back...

do this:

$symbols = array("*", "=", "/", "\\", "-", "+", "'", "\"");

$_POST = str_replace($symbols, "", $_POST);
$_GET = str_replace($symbols, "", $_GET);
$_COOKIE = str_replace($symbols, "", $_COOKIE);
$_SESSION = str_replace($symbols, "", $_SESSION);

I use this on my header file. Works like a charm. It stops all - numbers, cross-multipliers & = signs (injections require these)