Five Questions (SQL Injection, XSS, Null Bytes)
-
I read somewhere that you can still bypass PHP filtering functions such as htmlentities using special Unicode letters. Is this true, and if so which ones are used and how do I filter them out?
-
Is the code below (PHP) sufficient for filtering out poison null bytes from a string?
function r($str)
{
return str_replace(chr(0), "", $str);
}
- Say you're performing an SQL injection:
http://site.com/index.php?page=-5+union+select+1,2,3,4,5,password--
What columns would the "select 1,2,3,4,5" retrieve from the database?
-
I heard that addslashes can be bypassed. If so, how is that done and how can I protect against it?
-
Is mysql_real_escape_string foolproof (meaning as in it cannot be bypassed) ? Let's say you could bypass that function, then would an extra check (look at the code below) suffice?
<?php
$query = mysql_query("select * from users where username = '" . mysql_real_escape_string($_GET['username']) . "' and password = '" . mysql_real_escape_string($_GET['password']) . "' limit 1");
if (mysql_num_rows($query) == 1) // first check
{
$data = mysql_fetch_assoc($query);
if ($data['username'] == $_GET['username'] && $data['password'] == $_GET['password']) // second check
{
// perform authentication
}
}
?>
I dont have long so I'll just quickly answer 2 of your questions
- Say you're performing an SQL injection:
http://site.com/index.php?page=-5+union+select+1,2,3,4,5,password--
What columns would the "select 1,2,3,4,5" retrieve from the database?
1,2,3,4 are hte same as just doing null,null,null. It just makes it easier to see your column count. Nothing will be returned, only things returned are the fields you specify.
- I heard that addslashes can be bypassed. If so, how is that done and how can I protect against it?
Addslashes can be bypassed with certain charachters, such as… i recall a upside down question mark could be used as a ' which would bypass the slasshes.
hope that helps.
I agree - security should be first priority. When I'm developing dynamic websites that interact with databases, I go way over the top with security checks and everything. I probably don't need that many and probably could do with less, but that would mean less security.
In my opinion you can never have too much security, unless of course the script is so heavy that it slows or crashes the server. But that doesn't seem to be a problem with me so far. Most of my scripts probably are resource-heavy, but it's worth it in the end because I have increased security.
Heh… if I ever lost those precious files I'm gonna kill myself :O
MoshBat wrote: I tend to add another few filters before mysql_real_escape_string(), as you never know if there is a bug/exploit/whatever that has yet to be published. And I use preg_replace() rather than str. I'm not quite sure why, just one of those things, I suppose. Null bytes do affect some newer versions of PHP, depending on the script, so I hear.
Finally, it's worth it, I think, to go way over the top security-wise. Time consuming, repetetive and quite often mind-numbing but better than having to start afresh, should you leave something lying open.
Edit: Fucking useless keyboard.
You talk about optimising code, yet you use preg_replace() when regex is not needed, do you know how much resources this wastes?! Use str_replace if you're not using regular expressions, it saves time and memory.
MoshBat wrote: [quote]system_meltdown wrote: [quote]MoshBat wrote: I tend to add another few filters before mysql_real_escape_string(), as you never know if there is a bug/exploit/whatever that has yet to be published. And I use preg_replace() rather than str. I'm not quite sure why, just one of those things, I suppose. Null bytes do affect some newer versions of PHP, depending on the script, so I hear.
Finally, it's worth it, I think, to go way over the top security-wise. Time consuming, repetetive and quite often mind-numbing but better than having to start afresh, should you leave something lying open.
Edit: Fucking useless keyboard.
You talk about optimising code, yet you use preg_replace() when regex is not needed, do you know how much resources this wastes?! Use str_replace if you're not using regular expressions, it saves time and memory.[/quote] You're assuming that I choose to use it over str_replace. I don't. I usually have many things that need replacing, and tend to do them all at once, which ends up being more efficient than str.[/quote]
I'm not assuming. You said it.
"And I use preg_replace() rather than str. I'm not quite sure why, just one of those things, I suppose."
winkleer wrote: [quote]but to be safe you could str_replace %00 in the string.
hmm. i think you would need to replace \0 or \\0.[/quote]
The IDS I built for Elites0ft checks for %00 in the $_GET variable, and works fine: http://www.elites0ft.com/?page=blah.php%00
system_meltdown wrote: [quote]winkleer wrote: [quote]but to be safe you could str_replace %00 in the string.
hmm. i think you would need to replace \0 or \\0.[/quote]
The IDS I built for Elites0ft checks for %00 in the $_GET variable, and works fine: http://www.elites0ft.com/?page=blah.php%00[/quote]
Smooth way to introduce elites0ft (damn spammer!) lol ;) j/k
system_meltdown wrote: [quote]winkleer wrote: [quote]but to be safe you could str_replace %00 in the string.
hmm. i think you would need to replace \0 or \\0.[/quote]
The IDS I built for Elites0ft checks for %00 in the $_GET variable, and works fine: http://www.elites0ft.com/?page=blah.php%00[/quote]
Interesting. My results say otherwise. Maybe its just the config.
<?php
// ?page=test%00
echo strstr($_GET["page"], "%00") ? "strstr found %00\n" : NULL;
echo strstr($_GET["page"], "\0") ? "strstr found \\0\n" : NULL;
echo strstr($_GET["page"], "\\0") ? "strstr found \\\\0\n" : NULL; // returns true
echo str_replace("%00" ,"nullwashere" ,$_GET["page"]) == "testnullwashere" ? "str_replace found and replaced %00\n" : NULL;
echo str_replace("\0" ,"nullwashere" ,$_GET["page"]) == "testnullwashere" ? "str_replace found and replaced \\0\n" : NULL;
echo str_replace("\\0" ,"nullwashere" ,$_GET["page"]) == "testnullwashere" ? "str_replace found and replaced \\\\0\n" : NULL; // returns true
?>
</pre>```
> **ranma wrote:**
[quote]**winkleer wrote:**
[quote]but to be safe you could str_replace %00 in the string.
hmm. i think you would need to replace \0 or \\0.[/quote]
Er... Does it matter?[/quote]
Yes it does.