0

I have a question......I get that you have to sanitise POST and GET to stop people doing nasty things to your website / DB , but I'm confused.....I saw the following on a website and thought I would ask the question.

enter image description here

How would mr hacker know that the table to drop was called Students ?, in this situation it being a school it probably wouldn't take much working out, but I thought that the code for this sort of thing was hidden from view when it runs in a php file....so if I named my tables obscure things how would an attack know what the table name was to drop ?.

Kara
  • 6,115
  • 16
  • 50
  • 57
Iain Simpson
  • 8,011
  • 13
  • 47
  • 66
  • From information_schema! see [THIS](http://websec.wordpress.com/2007/11/17/mysql-table-and-column-names/) –  Feb 12 '13 at 19:13

3 Answers3

4

Yes it's hidden, but if you have a vulnerability like this you can execute any query you want, including SHOW TABLES and SHOW COLUMNS ..

Halcyon
  • 57,230
  • 10
  • 89
  • 128
  • Ahh I see, will escaping your POSTS and gets stop show tables / columns working then ? – Iain Simpson Feb 12 '13 at 19:14
  • 1
    No, because this vulnerability is escaping the input to your MySQL queries. You should **not** _escape_ your POST data, you should check it and validate that it looks like something you want. Escaping is what you do with input to MySQL or anything that produces a _string_. – Halcyon Feb 12 '13 at 19:16
  • I mean mysql escapestring by the way – Iain Simpson Feb 12 '13 at 19:17
  • 2
    @IainSimpson You should stop using the (for good reason deprecated) `mysql_*` API if you're using it, and start using MySQLi or PDO with prepared statements/parameterized queries. No need to escape things, and faster database access as a bonus. – Joachim Isaksson Feb 12 '13 at 19:17
1

The rule of thumb is that it's always better to be safe than sorry! As already mentioned, the attacker could output the contents of your data, or as per the picture delete it. Although PHP code is hidden from view, there are situations where this may not be the case, such as some error outputs or say the PHP module becomes unloaded for whatever reason, the source code would then become visible.

juco
  • 6,331
  • 3
  • 25
  • 42
1

Maybe this doesn't answer the question, but I'd like to make a precisation: everyone speaks about "sanitizing" user input only to avoid tables dropped, databases destroyed, and other catastrophies.

What I fail to see told is the fact that sanitizing is TO PROTECT YOUR QUERIES. Not from hackers, not from the devil, but just for the poor guy whose name is O'Reilly, or any other user-provided data which contains quotes.

That quote could break your query, full stop. And halt your wonderful designed webapp. And it's not malicious.

So, sanitize your queries to avoid them BREAKING. While doing this, you'll also prevent MALICIOUS BREAKING, which is a category per se. Queries are STRINGS , delimited by quotes, and an interpolated quote simply ends the string where it shouldn't, and your db call errors out.

Damien Pirsy
  • 25,319
  • 8
  • 70
  • 77
  • Escaping should be the defacto modus operandi. Whenever you go from one language to another (such as a DSL like SQL) or generate some kind of output, such as JSON, XML, and yes, even HTML, you should _always_ escape. – Halcyon Feb 12 '13 at 19:20
  • Ahh I see your point now, I never thought of the names with the apostrophes causing problems. – Iain Simpson Feb 12 '13 at 19:21