0

(Not like/about MySQL Injection) I wanna just be confirmed that someone told me a query can be changed (or) modified (by someone intruder/hacker, from middle) while we submitting it. Is it possible?

I mean, lets say there is a query (fixed Query for sure) in php:
$query = 'SELECT password WHERE id=1';
$result = mysql_query($query);

  • Lets say whatever SQLInject or any threats have made, the final $query (string) will be processed. Right?

(1) Can this query be changed/modified on the way "Submitting" (before reaching to Server)?
(2) Or.. Can returning result be changed/modified on the way "Returning" (back from Server) ?

So according to his saying, the final $result we get, will be a wrong one against what we really queried (even the real Table is still safe or not hacked). The case is happening just inside mysql_query process.

So is this possible? Sorry if this is stupid question but i'm really confusing.

Alvin
  • 101
  • 2

4 Answers4

1

Maybe, depending if you use user input in your query.

For example, the following code could be vulnerable. Notice it takes user input from $_POST['UnsanitisedInput'] and directly uses it in the query without sanitizing it with something like mysql_real_escape_string().

$result = mysql_query('SELECT Stuff FROM Things WHERE Widget = ' . $_POST['UnsanitisedInput']);

For a query like the one you posted though, which takes no user input, there's no way this can be modified, unless of course your server is compromised.

If you want to do some more reading on the topic, this kind of attack is called SQL Injection.

Ben Pilbrow
  • 12,041
  • 5
  • 36
  • 57
  • No dude. You are saying about changing the query `string` via Injection or any fault. But what I mean is in the stage of `mysql_query` is processing. Whatever query string we used, i just wanna know that query can be touched while processing? – Alvin Sep 16 '11 at 16:29
  • @Alvin by processing you mean in transit between DB and Application servers, right? Or you mean in server memory like memory tampering of MySQL/PHP Process? – danishgoel Sep 16 '11 at 16:35
  • @danishgoel (As i really dont know) may be both ways, as are possible threats. How can i prevent from these? – Alvin Sep 16 '11 at 17:04
0

He may be referring to SQL injection attack, which can be used to modify a query if you use unsanitized user inputs directly in your queries, e.g. 

$query = 'SELECT * FROM table WHERE id = ' . $_GET['id'];
mysql_query($query);

Here you are using '`$_GET['id'] directly, the value of which cannot be guaranteed by you. Instead you should do it like this.

$query = 'SELECT * FROM table WHERE id = ' . mysql_real_escape_string($_GET['id']);
mysql_query($query);

Other than that, The question of an attacker changing the actual query on the way through network only arises IF,

  • the WebServer (with PHP code) and the Database servers are separate and,
  • the queries are going through internet NOT just through a private network.
  • And in that case you are not using SSL on the database connection

If any of the above is false, the answer is

NO an attacker cannot alter your query OR result between the Database and WebServer

So if you are querying a DB server over public internet you can use SSL to avoid any eavesdropping or tampering of network packets.

Update
By processing you mean in transit between DB and Application servers, right? Or you mean in server memory like memory tampering of MySQL/PHP Process?

I've addressed the network issue above.

As per altering the query WHILE it is being processed, IT can be done only by a native process that a hacker can only install if your server has been compromised.
In which case the attacker does not have to go through all this trouble as he can simply edit your PHP files.

danishgoel
  • 199
  • 9
  • Not like SQLInjection, dude. As your example, the query is `$query = "bla bla ........"` then at next stage is `mysql_query($query);`. Now is the point i mean that the final query (to be processed) inside `mysql_query($query);` can be changed? – Alvin Sep 16 '11 at 16:34
  • @Alvin Look at the second part of my answer. – danishgoel Sep 16 '11 at 16:36
  • Thanks for it. But you've used **Inverted Logic** to your answers. Ok let me say i'm dump. So, let me say if .. (1) Web Server & DB Server are at same local. (2) .. (3) Using SSL, can i say *NOW IT IS SAFE* ?? – Alvin Sep 16 '11 at 17:00
  • Yes as the Database and Web Server are same there is no network traffic and thus no question of data being tampered while in transit. As per other issue of server compromise. In that case as I've said the attacker would simply change your PHP files instead of going through the trouble of either installing some memory altering application or as DerfK said changing your `mysql.sock`. So in short I would consider your setup to be **SAFE** – danishgoel Sep 16 '11 at 17:08
0

Anything is possible, depending on your setup. Other people already wrote about the sql injections possible when you don't check user input, but what if you have a query with no user input?

Communication over the network can be exposed to the same MITM attacks as many other network protocols if the network is compromised causing you to think you are connecting to your server when you are actually connecting to someone else's server.

If you are talking to a local mysql server using mysql.sock then if the server itself is compromised, the mysql.sock file could be replaced with a socket file that talks to a fake mysql server (which could change the query and send it to the real mysql server, or send it to the real mysql server and change the results before returning them).

Most likely, though, if the server is compromised, whoever did it would just edit your php file and change the query rather than doing all this extra work.

DerfK
  • 19,493
  • 2
  • 38
  • 54
  • Thanks DerfK, it may be more concerned with your second condition (with `mysql.sock`). How can i prevent it? – Alvin Sep 16 '11 at 19:41
0

With man in the middle attacks, returning data from the server can easily be tampered with, so run SSL (though SSLStrip theory makes this not fool proof).

As for editing the query between the end user and the PHP page, not really, unless you have a hole somewhere else in your site that allows them to edit your PHP. Also I think the data between PHP and MySQL is by default unencrypted, you can either tunnel that (insane amount of security) or run SSL MySQL IIRC.

StrangeWill
  • 541
  • 5
  • 16