Results 1 to 4 of 4
  1. #1

    php injection & session hacking problem

    Hi All,

    I had done a program in early 2006 for a site in php-mysql. At the time of doing the code, The code written was not so standard and it contained uninitialized variables used for include file paths (eventhough values are assigned to it before using) and the "sess" folder was created within the website folder. Also the parameters for the SQL query were not escaped, but everything was working fine.

    And now i was informed that the insecure code in my program caused the server crash and i have to pay the penalty for the same. Can anyone let me know whether the below code / keeping the session variables within a folder inside the /www/ will make the sites hosted on the server where this program runs to stop/crash for ever ?

    ------------------------------------------------------------------
    function update_region($id,$regname,$regcom)
    {
    $query = "UPDATE taxregion_mast SET taxregion_name = '". $regname."',
    region_comments = '". $regcom."' WHERE region_id =" .$id;
    mysql_query($query);

    ......
    -------------------------------------------------------------------

    I will appreciate any helping notes from you...

    Kind regards
    Smruthi

  2. #2
    Join Date
    Jan 2008
    Location
    St. John's, NL
    Posts
    2,114
    Quote Originally Posted by smruthi View Post
    Hi All,

    I had done a program in early 2006 for a site in php-mysql. At the time of doing the code, The code written was not so standard and it contained uninitialized variables used for include file paths (eventhough values are assigned to it before using) and the "sess" folder was created within the website folder. Also the parameters for the SQL query were not escaped, but everything was working fine.

    And now i was informed that the insecure code in my program caused the server crash and i have to pay the penalty for the same. Can anyone let me know whether the below code / keeping the session variables within a folder inside the /www/ will make the sites hosted on the server where this program runs to stop/crash for ever ?

    ------------------------------------------------------------------
    function update_region($id,$regname,$regcom)
    {
    $query = "UPDATE taxregion_mast SET taxregion_name = '". $regname."',
    region_comments = '". $regcom."' WHERE region_id =" .$id;
    mysql_query($query);

    ......
    -------------------------------------------------------------------

    I will appreciate any helping notes from you...

    Kind regards
    Smruthi
    That code is more prone to an "SQL injection" than anything.

    Here's a much better version:

    PHP Code:
    function update_region($id,$regname,$regcom){
    $query "UPDATE taxregion_mast SET taxregion_name = '"mysql_real_escape_string($regname)."',
    region_comments = '"
    mysql_real_escape_string($regcom)."' WHERE region_id =" .intval($id);
    mysql_query($query);
    ....... 
    mysql_real_escape_string() escapes quotes and other stuff, while intval() returns the number if the input is indeed a number, but 0 otherwise. Much safer. I'm sure it can be improved though
    Cpanel/WHM • PHP • Perl • Ruby • Full Time Support
    LCWSoft - Canada web hosting (based in Newfoundland) since 2007
    Servers based in the US and Canada (Uptime Report)

  3. #3
    Thank you for the quick reply....

    Kind Regards
    Smruthi

  4. #4
    Join Date
    May 2008
    Location
    Montreal, CA
    Posts
    59
    The server shouldn't crash "for ever" just beacuse of an SQL injection.

    It's normal that your server provider will try to blame you because his server crashed, but it's his fault.

    If he's doing shared hosting, then he didn't configure his server properly. There are many ways of isolating different websites on a shared hosting server such that if one is compromised (through php), the others are still alive. Just one example is the suphp mod. There's also the open_basedir configuration option for each vhosts. Please note that the two examples I gave only take care of PHP execution vectors.

    I personally don't think you should pay anything to your server manager because of his mistake of not making the system robust and secure enough.

    I can only suggest that you find someone more competent than him. Good luck!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •