Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    Regular Coder
    Join Date
    Jan 2011
    Posts
    120
    Thanks
    6
    Thanked 2 Times in 2 Posts

    stopping SQL injections - mod rewrites

    Hi, I just had a question about SQL injections on mod rewrites.

    If I have a url:

    http://www.sitenamehere.com/watch.php?movie_id=5'

    and I use

    PHP Code:
    if(isset($_GET['movie_id'])) {    
    $movie_id preg_replace('#[^0-9]#i'''$_GET['movie_id']);
    $sql mysql_query("SELECT title, genres, description FROM movies WHERE movie_id='$movie_id' LIMIT 1"); 
    1) would that completely stop sql injections of $movie_id?

    2)If I mod rewrite the url with:

    RewriteRule ^watch-([0-9]+)-([A-Za-z0-9\-]+)/?$ watch.php?movie_id=$1&title=$2 [NC,L]

    so that it turns into:

    http://www.sitenamehere.com/watch-$movie_id-$title

    ----------------------------
    However, now when I attempt to put "!" or "'" in the movie_id, it doesn't strip them...it just forwards to my 404 page. Does this mean that the mod rewrite is vulnerable to injections? Sorry if anything I said is "nooby". I'm still learning.

  • #2
    Regular Coder Microsuck's Avatar
    Join Date
    Oct 2011
    Location
    127.0.0.1
    Posts
    123
    Thanks
    44
    Thanked 5 Times in 5 Posts
    I don't think so, but I could be wrong.

    Simpler to use mysql_real_escape_string (or mysqli equivalent if using mysqli), prepared statements, etc.
    PHP Code:
    <?php echo "Microsuck says hi!"?>

  • #3
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,647
    Thanks
    2
    Thanked 406 Times in 398 Posts
    Quote Originally Posted by MattClark View Post
    However, now when I attempt to put "!" or "'" in the movie_id, it doesn't strip them...it just forwards to my 404 page. Does this mean that the mod rewrite is vulnerable to injections? Sorry if anything I said is "nooby". I'm still learning.
    No, it means your rewrite didn't match the pattern. If you know you are getting a number just cast it to an integer, it's much quicker and you don't need to escape it to use it in SQL.
    PHP Code:
    $movie_id = isset($_GET['movie_id']) ? (int) $_GET['movie_id'] : 0;
    if(!empty(
    $movie_id)) 
    {  
        
    // query, etc.
    }
    else
    {
        
    // error, invalid id, etc.


  • #4
    Regular Coder
    Join Date
    Jan 2011
    Posts
    120
    Thanks
    6
    Thanked 2 Times in 2 Posts
    I don't follow 100%. You're saying that because the injected input into url doesn't match the mod_rewrite it gives the 404? and there is no way of stripping the symbol from the url and forwarding to page anyways?

    I want: http://www.sitenamehere.com/watch-101!''''''-$title

    to be able to forward to http://www.sitenamehere.com/watch-101-$title

  • #5
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Quote Originally Posted by MattClark View Post
    I don't follow 100%. You're saying that because the injected input into url doesn't match the mod_rewrite it gives the 404? and there is no way of stripping the symbol from the url and forwarding to page anyways?

    I want: http://www.sitenamehere.com/watch-101!''''''-$title

    to be able to forward to http://www.sitenamehere.com/watch-101-$title
    No, that's not a PHP issue. That's because you are not matching your RewriteRule anymore, so it cannot find a directory under that name. ! and ' are not included in a part of your pattern match. Since it doesn't match this rule, it tries other rules until it finds no match and continues to the directory /watch-101!'''''-$title/ which does not exist.

    The cast prevents a SQL injection by forcing it to a number (remove '' from the criteria in the query to treat it as a number). If its an unparsable string, it will become 0, which typically has no match in a SQL query for an ID (assuming auto-increment). A string like 64cat will result in 64 though when cast to an integer.

  • #6
    Regular Coder
    Join Date
    Jan 2011
    Posts
    120
    Thanks
    6
    Thanked 2 Times in 2 Posts
    So there is no way to strip the tags AND not make it consider the $movie_id as 0?

    Sorry if my questions are redundant. I'm not exactly following 100%

  • #7
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Quote Originally Posted by MattClark View Post
    So there is no way to strip the tags AND not make it consider the $movie_id as 0?

    Sorry if my questions are redundant. I'm not exactly following 100%
    Sure, but I don't really see a reason in doing it (this would treat it as a string always though). That would mean you do require the use of a pattern match or a ctype control. Is movie_id not an integer? The code you have to this point suggests that it should be.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •