MaruNote
  • Study Notes
    • Nmap + Nessus Cheat Sheet
    • SQL Injection Fundamentals
      • SQL Argument
      • Introduction
      • Subverting Query Logic
      • Using Comments
      • Union Clause
      • Union Injection
      • Database Enumeration
      • Reading Files
      • Writing Files
      • Mitigation
      • Skill Assessment
    • Stack-Based Buffer Overflows on Linux x86
      • Introduction
    • Stack-Based Buffer Overflows on Windows x86
      • Introduction
  • Tech Notes
    • Linux Cookbook
      • [Ubuntu] Limiting Lenovo Laptop Battery Charging to 80% in Ubuntu
      • [Debian] Firefox User Exprience
    • Windows Cookbook
    • MacOS Cookbook
    • NGFW
    • Rclone
    • Jellyfin
    • Docker
    • Wireguard
    • Powerlevel10k
  • Troubleshooting
    • [Python] error: Microsoft Visual C++ 14.0 or greater is required.
  • Code Draft
    • Python Network Reconnaissance
    • Java File Management
    • Synology Schedule Task
Powered by GitBook
On this page
  • Sanitizing user input with mysqli_real_escape_string()
  • Restrict with using regular expression & preg_match()
  • Minimum user privileges
  • Using parameterized queries
  1. Study Notes
  2. SQL Injection Fundamentals

Mitigation

Sanitizing user input with mysqli_real_escape_string()

# Vulnerable code
<SNIP>
  $username = $_POST['username'];
  $password = $_POST['password'];

  $query = "SELECT * FROM logins WHERE username='". $username. "' AND password = '" . $password . "';" ;
  echo "Executing query: " . $query . "<br /><br />";

  if (!mysqli_query($conn ,$query))
  {
          die('Error: ' . mysqli_error($conn));
  }

  $result = mysqli_query($conn, $query);
  $row = mysqli_fetch_array($result);
<SNIP>
# With mysqli_real_escape_string()
<SNIP>
$username = mysqli_real_escape_string($conn, $_POST['username']);
$password = mysqli_real_escape_string($conn, $_POST['password']);

$query = "SELECT * FROM logins WHERE username='". $username. "' AND password = '" . $password . "';" ;
echo "Executing query: " . $query . "<br /><br />";
<SNIP>

This function escapes characters such as ' and ", so they don't hold any special meaning.

pg_escape_string() for PostgreSQL

Restrict with using regular expression & preg_match()

# Vulnerable code
<?php
if (isset($_GET["port_code"])) {
	$q = "Select * from ports where port_code ilike '%" . $_GET["port_code"] . "%'";
	$result = pg_query($conn,$q);
    
	if (!$result)
	{
   		die("</table></div><p style='font-size: 15px;'>" . pg_last_error($conn). "</p>");
	}
<SNIP>
?>
<SNIP>
$pattern = "/^[A-Za-z\s]+$/";
$code = $_GET["port_code"];

if(!preg_match($pattern, $code)) {
  die("</table></div><p style='font-size: 15px;'>Invalid input! Please try again.</p>");
}

$q = "Select * from ports where port_code ilike '%" . $code . "%'";
<SNIP>

The code is modified to use the preg_match() function, which checks if the input matches the given pattern or not.

Minimum user privileges

Superusers and users with administrative privileges should never be used with web applications. These accounts have access to functions and features, which could lead to server compromise.

MariaDB [(none)]> CREATE USER 'reader'@'localhost';
Query OK, 0 rows affected (0.002 sec)

MariaDB [(none)]> GRANT SELECT ON ilfreight.ports TO 'reader'@'localhost' IDENTIFIED BY 'p@ssw0Rd!!';
Query OK, 0 rows affected (0.000 sec)

MariaDB [(none)]> use ilfreight;
MariaDB [ilfreight]> SHOW TABLES;
+---------------------+
| Tables_in_ilfreight |
+---------------------+
| ports               |
+---------------------+
1 row in set (0.000 sec)

MariaDB [ilfreight]> SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA;
+--------------------+
| SCHEMA_NAME        |
+--------------------+
| information_schema |
| ilfreight          |
+--------------------+
2 rows in set (0.000 sec)

MariaDB [ilfreight]> SELECT * FROM ilfreight.credentials;
ERROR 1142 (42000): SELECT command denied to user 'reader'@'localhost' for table 'credentials'

Using parameterized queries

<SNIP>
  $username = $_POST['username'];
  $password = $_POST['password'];

  $query = "SELECT * FROM logins WHERE username=? AND password = ?" ;
  $stmt = mysqli_prepare($conn, $query);
  mysqli_stmt_bind_param($stmt, 'ss', $username, $password);
  mysqli_stmt_execute($stmt);
  $result = mysqli_stmt_get_result($stmt);

  $row = mysqli_fetch_array($result);
  mysqli_stmt_close($stmt);
<SNIP>

The query is modified to contain two placeholders, marked with ? where the username and password will be placed. We then bind the username and password to the query using the mysqli_stmt_bind_param() function. This will safely escape any quotes and place the values in the query.

PreviousWriting FilesNextSkill Assessment

Last updated 1 year ago