This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Backend Security Project PHP Preventing SQL Injection"
(New page: = SQL Injection Examples = == Login Form == == Online Catalog == == Message Board == = PHP Application Security strategies = == Hiding DBMS connection strings == == Prepared Stateme...) |
(→Examples) |
||
(16 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
− | = | + | = Examples = |
+ | To better understand how to secure code a PHP application some examples of | ||
+ | vulnerable code is provided in this paragraph. | ||
== Login Form == | == Login Form == | ||
+ | On this example we're going to see a tipical Login Form. On our example WEB SITE user need to supply a username/password pair in order to be authenticated. | ||
+ | |||
+ | |||
+ | Here follows the authentcation form: | ||
+ | |||
+ | [[Image:Owasp_bsp_php_1.jpg]] | ||
+ | |||
+ | Such a login page well call ''login.php'' with supplied user credentials. | ||
+ | |||
+ | <nowiki> | ||
+ | <?php | ||
+ | include('./db.inc'); | ||
+ | |||
+ | function sAuthenticateUser($username, $password){ | ||
+ | $authenticatedUserName=""; | ||
+ | if ($link = iMysqlConnect()) { | ||
+ | |||
+ | $query = "SELECT username FROM users"; | ||
+ | $query .= " WHERE username = '".$username."'"; | ||
+ | $query .= " AND password = md5('".$password."')"; | ||
+ | $result = mysql_query($query); | ||
+ | |||
+ | if ($result) { | ||
+ | if ($row = mysql_fetch_row($result)) { | ||
+ | $authenticatedUserName = $row[0]; | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | |||
+ | return $authenticatedUserName; | ||
+ | |||
+ | } | ||
+ | |||
+ | if ($sUserName = sAuthenticateUser($_POST["username"], | ||
+ | $_POST["password"])) { | ||
+ | echo "Wellcome ".$sUserName; | ||
+ | } else { | ||
+ | die('Unauthorized Access'); | ||
+ | } | ||
+ | |||
+ | ?> | ||
+ | </nowiki> | ||
+ | |||
+ | '''db.inc:''' | ||
+ | <nowiki> | ||
+ | |||
+ | <?php | ||
+ | |||
+ | define('DB_HOST', "localhost"); | ||
+ | define('DB_USERNAME', "user"); | ||
+ | define('DB_PASSWORD', "password"); | ||
+ | define('DB_DATABASE', "owasp"); | ||
+ | |||
+ | |||
+ | function iMysqlConnect(){ | ||
+ | $link = mysql_connect(DB_HOST, | ||
+ | DB_USERNAME, | ||
+ | DB_PASSWORD); | ||
+ | |||
+ | if ($link && mysql_select_db(DB_DATABASE)) | ||
+ | return $link; | ||
+ | return FALSE; | ||
+ | } | ||
+ | |||
+ | ?></nowiki> | ||
== Online Catalog == | == Online Catalog == | ||
− | + | Let take another example: an Online Book Store: | |
+ | [[Image:Owasp_bsp_php_3.jpg]] | ||
− | = | + | |
+ | |||
+ | |||
+ | '''catalog.php:''' | ||
+ | |||
+ | <nowiki> | ||
+ | function aGetBookEntry($id) { | ||
+ | $aBookEntry = NULL; | ||
+ | $link = iMysqlConnect(); | ||
+ | |||
+ | $query = "SELECT * FROM books WHERE id = $id"; | ||
+ | $result = mysql_query($query); | ||
+ | |||
+ | if ($result) { | ||
+ | if ($row = mysql_fetch_array($result)) { | ||
+ | $aBookEntry = $row; | ||
+ | } | ||
+ | } | ||
+ | |||
+ | return $aBookEntry; | ||
+ | |||
+ | } | ||
+ | |||
+ | |||
+ | $id = $_GET['id']; | ||
+ | $aBookEntry = aGetBookEntry($id); | ||
+ | |||
+ | showBook($aBookEntry); | ||
+ | </nowiki> | ||
+ | |||
+ | Basicaly it retrieves ''id'' parameter on GET query string and perform the following SQL query: | ||
+ | * ''SELECT * FROM book WHERE id = $_GET['id']'' | ||
+ | |||
+ | As in ''Login Form'' no input validation is performed and SQL Query can be manipulated to returns | ||
+ | arbitrary data and DBMS stored relations/records/functions as well. | ||
+ | |||
+ | = Application Security strategies = | ||
== Hiding DBMS connection strings == | == Hiding DBMS connection strings == | ||
+ | |||
+ | == Single Quotes Escape == | ||
== Prepared Statement == | == Prepared Statement == | ||
Line 17: | Line 123: | ||
== Security in Depth == | == Security in Depth == | ||
+ | |||
+ | = Examples Revisited = | ||
+ | |||
+ | == Login Form == | ||
+ | |||
+ | == Online Catalog == | ||
= Defeating Automated Tools = | = Defeating Automated Tools = | ||
+ | |||
+ | = References = | ||
+ | |||
+ | = Tools = |
Latest revision as of 08:41, 19 May 2008
Examples
To better understand how to secure code a PHP application some examples of vulnerable code is provided in this paragraph.
Login Form
On this example we're going to see a tipical Login Form. On our example WEB SITE user need to supply a username/password pair in order to be authenticated.
Here follows the authentcation form:
Such a login page well call login.php with supplied user credentials.
<?php include('./db.inc'); function sAuthenticateUser($username, $password){ $authenticatedUserName=""; if ($link = iMysqlConnect()) { $query = "SELECT username FROM users"; $query .= " WHERE username = '".$username."'"; $query .= " AND password = md5('".$password."')"; $result = mysql_query($query); if ($result) { if ($row = mysql_fetch_row($result)) { $authenticatedUserName = $row[0]; } } } return $authenticatedUserName; } if ($sUserName = sAuthenticateUser($_POST["username"], $_POST["password"])) { echo "Wellcome ".$sUserName; } else { die('Unauthorized Access'); } ?>
db.inc:
<?php define('DB_HOST', "localhost"); define('DB_USERNAME', "user"); define('DB_PASSWORD', "password"); define('DB_DATABASE', "owasp"); function iMysqlConnect(){ $link = mysql_connect(DB_HOST, DB_USERNAME, DB_PASSWORD); if ($link && mysql_select_db(DB_DATABASE)) return $link; return FALSE; } ?>
Online Catalog
Let take another example: an Online Book Store:
catalog.php:
function aGetBookEntry($id) { $aBookEntry = NULL; $link = iMysqlConnect(); $query = "SELECT * FROM books WHERE id = $id"; $result = mysql_query($query); if ($result) { if ($row = mysql_fetch_array($result)) { $aBookEntry = $row; } } return $aBookEntry; } $id = $_GET['id']; $aBookEntry = aGetBookEntry($id); showBook($aBookEntry);
Basicaly it retrieves id parameter on GET query string and perform the following SQL query:
- SELECT * FROM book WHERE id = $_GET['id']
As in Login Form no input validation is performed and SQL Query can be manipulated to returns arbitrary data and DBMS stored relations/records/functions as well.