SQL Injection Vulnerability in MySQL Database

[Guest]

SQL Injection Vulnerability in MySQL Database

 

Mcafee told me I have this on my site. here is the fix. Im sure how to do it though. I need php help. This is the cause of a news mod I installed. Here are the two code fragments that need to be checked.

 

if (isset($HTTP_GET_VARS['article'] == true)) {
$id = (int)tep_db_prepare_input($HTTP_GET_VARS['article']);
$news_query = tep_db_query("select n.date_created, nd.name, nd.content from " . TABLE_NEWS . " n, " . TABLE_NEWS_DESC . " nd where nd.news_id = '" . (int)$id . "' and n.id = '" . (int)$id . "' and nd.language_id = '" . (int)$languages_id . "'");

 

&

 

 if ((isset($HTTP_GET_VARS['date'] == true)) {
$month_date = tep_db_prepare_input($HTTP_GET_VARS['date']);

 

Mcafee suggested these solutions. Problem is I do not know how to implement either.

 

There are two ways of resolving this issue:

1. Validating input - THE SINGLE BEST WAY TO FIX THIS VULNERABILITY IS TO IDENTIFY THE ACCEPTABLE INPUT FOR EACH FORM PARAMETER AND REJECT INPUT THAT DOES NOT MEET THAT CRITERIA. By doing this, you are creating a whitelist of acceptable input that the web application can use. This is very similar to the way firewalls work, that if the input doesn't follow one of the rules it is ultimatly dropped.

 

2. Sanitizing input - Implement content parsing on data input fields including URL parameters.

 

Remove the following characters from any user or dynamic database input:

# ' (escape the single quote) input

# " (double quote) input

# ) (close parenthesis) input

# ( (open parenthesis) input

# ; (semi-colon) input

# - (dash) input

# | (pipe) input

[Nullachtfuffzehn]

The function tep_db_prepare_input() internally calls another function called tep_sanitize_string() which already filters some of the mentioned characters.

[Guest]

Correct,

 

But on this news.php page a user can insert text into the URL parameter and will cause the site to try and query something.

[Nullachtfuffzehn]

Which news mod did you install and which files were added/altered?

[spooks]

How to secure your site: http://www.oscommerce.com/forums/index.php?showtopic=313323

[Guest]

Thanks Sam! I installed it and McAfee is testing now!

[arkane8]

Thanks Sam! I installed it and McAfee is testing now!

 

Under:

$month_date = tep_db_prepare_input($HTTP_GET_VARS['date']);

 

You need to put:

tep_sanitize_string($month_date);

[arkane8]

Under:

$month_date = tep_db_prepare_input($HTTP_GET_VARS['date']);

 

You need to put:

tep_sanitize_string($month_date);

 

 

Actually sorry that's not going to work, change:

$month_date = tep_db_prepare_input($HTTP_GET_VARS['date']);

 

to this:

$month_date = tep_db_prepare_input(mysql_real_escape_string($HTTP_GET_VARS['date']));

[♥ecartz]

$month_date = tep_db_prepare_input(mysql_real_escape_string($HTTP_GET_VARS['date']));

is the wrong order. You want to prepare the input before you escape it (part of preparing a string is removing the escaping). Also, tep_db_input calls mysql_real_escape_string, so it would be

$month_date = tep_db_input(tep_db_prepare_input($HTTP_GET_VARS['date']));

Note that you normally do the tep_db_input right before calling the database, so you would just do

$month_date = tep_db_prepare_input($HTTP_GET_VARS['date']);

and sometime later say tep_db_input($month_date) where you would otherwise just write $month_date. Note that if you use tep_db_perform, it calls tep_db_input (and therefore mysql_real_escape_string) for you.

 

In general, you want to do the string escaping right before sending the information to the database. Otherwise, you might later add code that modifies the string after the escaping, breaking the escaping and leaving the string vulnerable again.