...

View Full Version : stopping SQL injections - mod rewrites



MattClark
11-17-2011, 10:33 PM
Hi, I just had a question about SQL injections on mod rewrites.

If I have a url:

http://www.sitenamehere.com/watch.php?movie_id=5'

and I use



if(isset($_GET['movie_id'])) {
$movie_id = preg_replace('#[^0-9]#i', '', $_GET['movie_id']);
$sql = mysql_query("SELECT title, genres, description FROM movies WHERE movie_id='$movie_id' LIMIT 1");


1) would that completely stop sql injections of $movie_id?

2)If I mod rewrite the url with:

RewriteRule ^watch-([0-9]+)-([A-Za-z0-9\-]+)/?$ watch.php?movie_id=$1&title=$2 [NC,L]

so that it turns into:

http://www.sitenamehere.com/watch-$movie_id-$title

----------------------------
However, now when I attempt to put "!" or "'" in the movie_id, it doesn't strip them...it just forwards to my 404 page. Does this mean that the mod rewrite is vulnerable to injections? Sorry if anything I said is "nooby". I'm still learning.

Microsuck
11-17-2011, 11:10 PM
I don't think so, but I could be wrong.

Simpler to use mysql_real_escape_string (or mysqli equivalent if using mysqli), prepared statements, etc.

Inigoesdr
11-18-2011, 03:27 AM
However, now when I attempt to put "!" or "'" in the movie_id, it doesn't strip them...it just forwards to my 404 page. Does this mean that the mod rewrite is vulnerable to injections? Sorry if anything I said is "nooby". I'm still learning.

No, it means your rewrite didn't match the pattern. If you know you are getting a number just cast it to an integer, it's much quicker and you don't need to escape it to use it in SQL.


$movie_id = isset($_GET['movie_id']) ? (int) $_GET['movie_id'] : 0;
if(!empty($movie_id))
{
// query, etc.
}
else
{
// error, invalid id, etc.
}

MattClark
11-18-2011, 05:12 AM
I don't follow 100%. You're saying that because the injected input into url doesn't match the mod_rewrite it gives the 404? and there is no way of stripping the symbol from the url and forwarding to page anyways?

I want: http://www.sitenamehere.com/watch-101!''''''-$title

to be able to forward to http://www.sitenamehere.com/watch-101-$title

Fou-Lu
11-18-2011, 06:29 AM
I don't follow 100%. You're saying that because the injected input into url doesn't match the mod_rewrite it gives the 404? and there is no way of stripping the symbol from the url and forwarding to page anyways?

I want: http://www.sitenamehere.com/watch-101!''''''-$title

to be able to forward to http://www.sitenamehere.com/watch-101-$title

No, that's not a PHP issue. That's because you are not matching your RewriteRule anymore, so it cannot find a directory under that name. ! and ' are not included in a part of your pattern match. Since it doesn't match this rule, it tries other rules until it finds no match and continues to the directory /watch-101!'''''-$title/ which does not exist.

The cast prevents a SQL injection by forcing it to a number (remove '' from the criteria in the query to treat it as a number). If its an unparsable string, it will become 0, which typically has no match in a SQL query for an ID (assuming auto-increment). A string like 64cat will result in 64 though when cast to an integer.

MattClark
11-18-2011, 08:22 PM
So there is no way to strip the tags AND not make it consider the $movie_id as 0?

Sorry if my questions are redundant. I'm not exactly following 100%

Fou-Lu
11-18-2011, 08:29 PM
So there is no way to strip the tags AND not make it consider the $movie_id as 0?

Sorry if my questions are redundant. I'm not exactly following 100%

Sure, but I don't really see a reason in doing it (this would treat it as a string always though). That would mean you do require the use of a pattern match or a ctype control. Is movie_id not an integer? The code you have to this point suggests that it should be.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum