SQL injection problem

Thu, 13 Dec 2007 03:58:49 -0800 

Hi, I'am new in using Nessus for testing my php+MySql(on Apache web
server,Montavista Linux platform) web pages.
It detects the folowing security hole in my page:

blabla.php?-=&site=TIM34A&sm= or 1=1-

blabla.php?-=&site=TIM34A&sm=&#39
+OR+&#39
a&#39
<&#39
b

blabla.php?-=&site=TIM34A&sm=&#39
)+OR+(&#39
a&#39
<&#39
b

blabla.php?-=&site=TIM34A&sm=&#39
)+OR+(&#39
a&#39
<&#39
b&#39
)/*
blabla.php?-=&site=TIM34A&sm=#

My source code looked like:

if (isset($_REQUEST['cat']))
  $cat=$_REQUEST['cat'];
else
  if (isset($_REQUEST['sm']))
       $sm=$_REQUEST['sm'];
 else
       $cat="all";

$site=$_REQUEST['site'];

@ $bd = mysql_pconnect( "localhost", "root", "");
  if( !$bd )
    die("Connexion impossible");
 mysql_select_db ( "database" );
if (strlen($sm)!=0)
{
  $sql = "SELECT * FROM database_table WHERE obj_val LIKE
'".strtoupper($sm)."'  AND status=0 ORDER BY instance ASC ";
    }
else
  switch($cat)
  {
   case 'im': case 'id':case 'si':
      $sql = "SELECT * FROM database_table WHERE cat LIKE
'".strtoupper($cat)."' AND status=0 ORDER BY instance ASC";
      break;
   case 'all':
      $sql = "SELECT * FROM database_table ORDER BY instance ASC";
      break;
   case 'nack':
      $sql = "SELECT * FROM database_table WHERE status LIKE 0 ORDER
BY instance ASC";
      break;
   case 'ack':
      $sql = "SELECT * FROM database_table WHERE status LIKE 1 ORDER
BY instance ASC";
      break;
   default:
      break;
   }
   $res = mysql_query ($sql);
   $all = mysql_num_rows($res);
  mysql_close($bd);


After Nessus found the security hole, I modified my source code but it
still give me the same security hole. Now the code looks like :

if (isset($_REQUEST['cat']))
  $cat=$_REQUEST['cat'];
else
  if (isset($_REQUEST['sm']))
   $sm=$_REQUEST['sm'];
  else
   $cat="all";

$site=$_REQUEST['site'];

  @ $bd = mysql_pconnect( "localhost", "root", "");
  if( !$bd )
    die("Connexion  impossible");
  mysql_select_db ( "database" );
if (strlen($sm)!=0)
{
    $sm=strtoupper($sm);
    //protection against SQL injection
    if (isset($_POST['sm']))
    {
        if(get_magic_quotes_gpc()) {
            $sm        = stripslashes($_POST['sm']);
        } else {
            $sm        = $_POST['sm'];
        }
    }
  $sql = sprintf("SELECT * FROM database_table WHERE obj_val LIKE '%s'
 AND status=0 ORDER BY instance ASC ",
                    mysql_real_escape_string($sm));
}
else
  switch($cat)
  {
   case 'im': case 'id':case 'si':
        $cat=strtoupper($cat);
        if (get_magic_quotes_gpc()) {
        $cat = stripslashes($cat);
      }
      $sql = "SELECT * FROM database_table WHERE cat LIKE
'".mysql_real_escape_string($cat)."' AND status=0 ORDER BY instance
ASC";
      break;
   case 'all':
      $sql = "SELECT * FROM database_table ORDER BY instance ASC";
      break;
   case 'nack':
      $sql = "SELECT * FROM database_table WHERE status LIKE 0 ORDER
BY instance ASC";
      break;
   case 'ack':
      $sql = "SELECT * FROM database_table WHERE status LIKE 1 ORDER
BY instance ASC";
      break;
   default:
      break;
   }
   $res = mysql_query ($sql);
   $all = mysql_num_rows($res);
   mysql_close($bd);

What must I do now to get out of this" hole"?

Thanks,
Simona
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus

Reply via email to