The bad news is that "prepare" statements don't come by default with PHP, but the good news is that you can use something like PDO library. If you parameterise your queries that contain user input data, then the "shape" of the query is bound during its prepare phase and sql injections are impossible. Keith
matt_thomson wrote: > I managed to replicate it on my local host, although I don't > understand the sql. The sql gets the 1st username and password (as > md5) from jos_users and sneakily puts the un and pass into the <?php > echo $row->description; ?> that the description column in the database > (from table jos_ignitegallery) would usually fill. So then they can > try and crack the md5 and hack hack hack. I think my site was > breached, but I can't see any changes, I guess they want me to be > unaware so I don't release a patch. > I tried emailing some people by googling com_ignitegallery, It looks > like about one in a dozen sites are already hacked, there are too many > sites for me to contact everyone. > I changed my site so you have to register to download, so I can notify > about any security stuff, and I am going to be anally retentive about > security from now on. Dam that was a wake up call, and a waste of a > weekend. > > On Oct 12, 5:26 pm, "Jochen Daum" <[EMAIL PROTECTED]> wrote: > >> Hi, >> >> >> >> On Sat, Oct 11, 2008 at 12:46 PM, matt_thomson <[EMAIL PROTECTED]> wrote: >> >> >>> Hi, usually I wouldn't post on the weekend, but I have got a semi >>> urgent issue, if anyone is still working could the give me a hand >>> please. >>> >>> I have a Joomla open source component, I think there are about 10,000 >>> people using it. I got notified of this page this morning: >>> http://milw0rm.org/exploits/6723 >>> >>> This gist of the page is this: >>> >>> Exploit: /index.php? >>> option=com_ignitegallery&task=view&gallery=[SQL]&Itemid=18 >>> >>> Example: /index.php?option=com_ignitegallery&task=view&gallery=-1+union >>> +select+1,2,concat(username,char(58),password)KHG,4,5,6,7,8,9,10+from >>> +jos_users--&Itemid=18 >>> >> I don't quite understand how the query is supposed to work, but possibly it >> shows specific userdata that you don't want to show. >> >> >> >> >> >> >>> And my php code is more or less this: >>> >>> $task = JRequest::getString('task', ''); >>> $gallery = JRequest::getString('gallery', ''); >>> >>> $db =& JFactory::getDBO(); >>> $query = "SELECT * FROM #__ignitegallery WHERE id = $gallery"; >>> $db->setQuery($query); >>> $row = $db->loadObject(); >>> >>> <?php echo $row->description; ?> >>> <h3><?php echo $row->name; ?></h3> >>> >>> I have used the standard Joomla jRequest class to sanatise my >>> variables: >>> >>> http://dev.joomla.org/component/option,com_jd-wiki/Itemid,/id,referen... >>> >> I haven't dug deeply into the input sanitisation process of Joomla there, >> but I think you should use getInt(). >> >> HTH, Jochen >> > > > > --~--~---------~--~----~------------~-------~--~----~ NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
