SlideShare a Scribd company logo

SQL Injection: complete walkthrough (not only) for PHP developers

Krzysztof Kotowicz
Krzysztof Kotowicz

Learn what is SQL injection, how to use prepared statements, how to escape and write secure stored procedures. Many PHP projects are covered - PDO, Propel, Doctrine, Zend Framework and MDB2. Multiple gotchas included.

Technology
1 of 64
Download to read offline
SQL injection: complete walkthrough (not only) for PHP developers Krzysztof Kotowicz PHP Developer http://web.eskot.pl OWASP Medycyna Praktyczna krzysztof@kotowicz.net 10.03.2010 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
Plan  What is SQL injection?  Why is it so dangerous (demo)?  How to defend? • Prepared statements • Escaping • Stored procedures • Additional methods  Summary OWASP 2
Discussed databases (RDBMS)  MySQL  Oracle  MS SQL Server  To some extent: • PostgreSQL • SQLite OWASP 3
Discussed PHP projects  PDO – PHP data objects • Common interface for various RDBMS  Doctrine 1.2 • ORM (Object Relational Mapper) used e.g. in Symfony framework  Propel 1.4 • ORM, like Doctrine • Used in Symfony  Zend Framework 1.10 • Popular framework MVC for PHP  MDB2 2.4.1 • Database abstraction layer (DBAL) • Distributed through PEAR OWASP 4
What is SQL injection? OWASP 5
SQL injection – short definition It is a kind of web application attack, where user- supplied input coming from: URL: www.example.com?id=1 Forms: email=a@example.com Other elements: e.g. cookie, HTTP headers is manipulated so that vulnerable application executes SQL commands injected by attacker. OWASP 6
Example – login form SELECT * FROM users WHERE login = '{$login}' and password_hash = MD5('{$password}') $login = "' or 1=1 -- "; "anything"; $password = "dowolne"; // zamierzalismy osiagnacthis(kod dane) you wanted to achieve to (code data) SELECT * FROM users WHERE login = '' or 1=1 -- ' and password_hash = MD5('dowolne') MD5('anything') // but server interprets it as SELECT * FROM users WHERE login = '' or 1=1 -- ' and password_hash = MD5('anything') User logs in without knowing the login nor password OWASP 7
Why is it so dangerous? DEMO OWASP 8
What are the possible threats?  Unauthorized access to application  Access to whole database / databases on the server  Denial of service  Database modification  Read / write files on server's filesystem  Code execution OWASP 9
A few facts  Injection vulnerabilities are the 1st on OWASP Top 10 2010 RC  SQLi is responsible for 40–60% cases of data breach [1] [2]  Modern attack techniques are advanced and automated • Vulnerability is not only in WHERE part • Sometimes it is enough to break a query  Vulnerabilities are found on a daily basis, even in new applications OWASP 10
How to defend? OWASP 11
How to defend against SQL injection?  Source of vulnerability is mixing code with data SELECT * FROM users WHERE login = 'login' Defense methods Separating code from data prepared statements stored procedures Escaping OWASP 12
How to defend? Prepared statements OWASP 13
Prepared statements – how to use? 1. Preparing SQL command (string) Put placeholders where data should be WHERE a = ? ... WHERE a = :col 2. Send command to server PREPARE 3. Attach data to command 4. Execute command EXECUTE 5. Fetch results 3, 4, 5 could be repeated... 6. Clear the command OWASP 14
Prepared statements - example  PDO // prepare command $stmt = $dbh->prepare("INSERT INTO SUMMARIES (name, sum) VALUES (:name, :sum)"); // attach data variables - WITH ITS TYPES! $stmt->bindParam(':name', $name, PDO::PARAM_STR); $stmt->bindParam(':sum', $sum, PDO::PARAM_INT); // bind values $name = 'something'; $value = 1234; // execute command $stmt->execute(); $stmt = null; //free memory OWASP 15
Prepared statements - advantages  Commands are completely separated from data they operate on  Injection is not possible  Command is compiled only once - potential speedup $stmt->bindParam(':name', $name, PDO::PARAM_STR); $stmt->bindParam(':sum', $sum, PDO::PARAM_INT); // petla po danych... foreach ($do_bazy as $name => $value) { $stmt->execute(); } OWASP 16
Prepared statements - caveats  Not all commands may be parametrised  You cannot put parameters everywhere -- error SELECT * FROM :table SELECT :function(:column) FROM :view -- not what you expect SELECT * FROM table WHERE :column = 1 SELECT * FROM table GROUP BY :column  Just using PS does not enforce using parameters in them  Sometimes they're emulated (it's a good thing!) OWASP 17
Prepared statements in Doctrine  Uses PDO (emulated for Oracle) and prepared statements  Uses own DQL language instead of SQL $q = Doctrine_Query::create() ->select('u.id') ->from('User u') ->where('u.login = ?', ‘mylogin'); echo $q->getSqlQuery(); // SELECT u.id AS u__id FROM user u // WHERE (u.login = ?) $users = $q->execute(); OWASP 18
Prepared statements in Doctrine cont.  It can still bite you $q = Doctrine_Query::create() ->update('Account') ->set('amount', 'amount + 200') ->where("id > {$_GET['id']}");  Correct this to: ->where("id > ?", (int) $_GET['id']);  NEVER put input data directly into SQL commands OWASP 19
Prepared statements in Propel  Uses PDO, like Doctrine // through Criteria $c = new Criteria(); $c->add(AuthorPeer::FIRST_NAME, "Karl"); $authors = AuthorPeer::doSelect($c); // through custom SQL (sometimes it's more convenient) $pdo = Propel::getConnection(BookPeer::DATABASE_NAME); $sql = "SELECT * FROM complicated_sql JOIN some_big_join USING something WHERE column = :col)”; $stmt = $pdo->prepare($sql); $stmt->execute(array('col' => 'Bye bye SQLi!'); OWASP 20
Prepared statements in Zend Framework  PDO (+ mysqli + oci8 + sqlsrv) // prepare + execute $stmt = $db->prepare('INSERT INTO server (key, value) VALUES (:key,:value)'); $stmt->bindParam('key', $k); $stmt->bindParam('value', $v); foreach ($_SERVER as $k => $v) $stmt->execute(); // prepare + execute in one step $stmt = $db->query('SELECT * FROM bugs WHERE reported_by = ? AND bug_status = ?', array('goofy', 'FIXED')); while ($row = $stmt->fetch()) echo $row['bug_description']; OWASP 21
Prepared statements in MDB2  Based on different database drivers (mysql, oci8, mssql, ...)  Emulates PS, if database doesn't support them $types = array('integer', 'text', 'text'); $stmt = $mdb2->prepare('INSERT INTO numbers VALUES (:id, :name, :lang)', $types); $data = array('id' => 1, 'name' => 'one', 'lang' => 'en'); $affectedRows = $stmt->execute($data); $stmt->free(); OWASP 22
Prepared statements - summary  They offer very good protection (if used properly)  Easy to use, small changes in code  Good support in frameworks  They have their limits  Sometimes they have to be used with other defense methods OWASP 23
How to defend? Escaping data OWASP 24
Escaping – how does it work?  Data and commands are still kept in a single variable, but we try to separate them inline  Numbers • Cast to (int) / (float) – don't use is_numeric [1]!  Texts are surrounded with single quotes : ' .. WHERE col = 'TEXT DATA' AND ... • If quote is inside the text, you need a way to distinguish it from the ending quote • Prepend a special character e.g. "" to a quote • Escaping rules depend on context! OWASP 25
Escaping – context addslashes() Returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash () and NUL (the NULL byte). / Source: php.net manual / $user = addslashes($_GET['u']); $pass = addslashes($_GET['p']); $sql = "SELECT * FROM users WHERE username = '{$user}' AND password = '{$pass}'"; $ret = exec_sql($sql);  Are you safe? OWASP 26
NO OWASP
Escaping – context cont.  Different RDBMS have different ways of escaping data (it also depends on configuration)  addslashes() works just like MySQL only „by chance” RBDMS PHP function i've got quotes PDO $pdo->quote($val, $type) n/a (it depends) MySQL (mysql) mysql_real_escape_string i've got quotes MySQL (mysqli) mysqli_real_escape_string i've got quotes Oracle (oci8) n/d - str_replace() i''ve got quotes SQLite sqlite_escape_string i''ve got quotes MS SQL (mssql) n/d - str_replace() i''ve got quotes PostgreSQL pg_escape_string() i''ve got quotes OWASP 28
Escaping – context cont. // SELECT * FROM users WHERE username = // '{$user}' AND password = '{$pass}' $_GET['u'] = "anything'"; $_GET['p'] = " or 1=1 -- "; // MySQL sees it as : SELECT * FROM users WHERE username = 'anything'' AND password = ' or 1=1 -- ' // SQLite / MS SQL / Oracle / PostgreSQL: SELECT * FROM users WHERE username = 'anything'' AND password = ' or 1=1 -- '  Don't use addslashes(), use PHP functions for your RBDMS  Are you safe now? OWASP 29
ALMOST OWASP
Escaping gotchas – charsets  Errors discovered in 2006 in PostgreSQL and MySQL [1] [2]  In some multibyte charsets despite escaping you can cause SQL injection  is „swallowed” by multibyte character  Example: • BF 27 [ ¬ ' ]  BF 5C 27 [ ¬ ' ] • First 2 bytes are character ¿ in GBK charset • Server will see ¿' OWASP 31
Escaping gotchas – charsets  Some Asian charsets are vulnerable  Luckily - not UTF-8!  In PostgreSQL '' escaping was used (instead of ')  In mysql_real_escape_string() escaping is done with respect to current connection charset • Doesn't always work! [1] [2]  Charset also defines context OWASP 32
Escaping gotchas – object names  Colum, table, database etc. names • No common good rule to escape them • Different reserved words, different maximum name lengths etc. If you need to get those names from the user - use whitelisting (blacklisting if you really can't do otherwise) OWASP 33
Escaping gotchas – object names cont.  Example - sorting by column  There's a vuln. in $order, but you can't escape there $cat_id = (int) $_GET['cid']; $order = $_GET['column']; $stmt = $pdo->prepare("SELECT * FROM products WHERE cid = :cid ORDER BY $order"); $stmt->bindParam(':cid', $cat_id, PDO::PARAM_INT); if ($stmt->execute()) { ... } OWASP 34
Escaping gotchas – object names cont.  Whitelisting $columns = array( // list of allowed columns 'product_name','cid','price', ); if (!in_array($order, $columns, true)) $order = 'product_name'; // default column  Blacklisting // only a-z and _ $order = preg_replace('/[^a-z_]/', '', $order); // max 40 characters $order = substr($order, 0, 40); OWASP 35
Escaping in PDO  PDO::quote($value, $type, $len)  Length and type are sometimes ignored! • Cast numbers to (int), (float) • Texts – cut them manually $quoted = $pdo->quote($input, PDO::PARAM_STR, 40); OWASP 36
Escaping in Doctrine  Careful with Doctrine quote()! $q = Doctrine_Query::create(); // not like this!!! $quoted = $q->getConnection()->quote($input, 'text'); $q->update('User')->set('username', $quoted); // quote() only changes ' to '' - exploit (MySQL): $input = 'anything' where 1=1 -- '; // escape through PDO - getDbh(): $quoted = $q->getConnection() ->getDbh() ->quote($input, PDO::PARAM_STR); // 'anything ' where 1=1 -- ' OWASP 37
Escaping in Propel  Through PDO::quote() $pdo = Propel::getConnection(UserPeer::DATABASE_NAME); $c = new Criteria(); $c->add(UserPeer::PASSWORD, "MD5(".UserPeer::PASSWORD.") " ." = " . $pdo->quote($password), Criteria::CUSTOM); OWASP 38
Escaping in Zend Framework  Functions quote(), quoteInto() $name = $db->quote("O'Reilly"); // 'O'Reilly' // simplified escaping for a single value $sql = $db->quoteInto("SELECT * FROM products WHERE product_name = ?", 'any string'); OWASP 39
Escaping in MDB  quote() // quote() function - give type $query = 'INSERT INTO table (id, itemname, saved_time) VALUES (' . $mdb2->quote($id, 'integer') .', ' . $mdb2->quote($name, 'text') .', ' . $mdb2->quote($time, 'timestamp') .')'; $res = $mdb2->exec($query); OWASP 40
Escaping - summary  Looks easy - search and replace  Just looks • You need to know the context (database, charset) • There are invalid implementations  Encourages invalid practices • concatenating strings to form a SQL command • ignoring numeric parameters  Use only if • You program for a single RDBMS • There is no other way OWASP 41
How to defend? Stored procedures OWASP 42
Stored procedures  SQL command(s) is moved to database server and stored there under a name  Client executes a procedure with input and output parameters  In output parameters client receives results  Data is formally separated from code  It's NOT enough OWASP 43
Stored procedures cont.  Example for MS SQL – a vulnerable procedure CREATE PROCEDURE SP_ProductSearch @prodname varchar(400) AS DECLARE @sql nvarchar(4000) SELECT @sql = 'SELECT ProductID, ProductName, Category, Price FROM Product Where ProductName LIKE ''' + @prodname + '''' EXEC (@sql) ...  It's just like eval()! OWASP 44
Stored procedures cont.  Same vulnerability in Oracle CREATE OR REPLACE PROCEDURE SP_ProductSearch(Prodname IN VARCHAR2) AS sqltext VARCHAR2(80); BEGIN sqltext := 'SELECT ProductID, ProductName, Category, Price FROM Product WHERE ProductName LIKE ''' || Prodname || ''''; EXECUTE IMMEDIATE sqltext; ... END; OWASP 45
Stored procedures – Dynamic SQL  Vulnerability lies in Dynamic SQL • Data is again mixed with code in one variable  How to defend? • Separate the code from data • Escape OWASP 46
Stored procedures in MS SQL  Separating code from data • use sp_executesql with parameter list CREATE PROCEDURE SP_ProductSearch @prodname varchar(400) = NULL AS DECLARE @sql nvarchar(4000) SELECT @sql = N'SELECT ProductID, ProductName, Category, Price FROM Product Where ProductName LIKE @p' EXEC sp_executesql @sql, N'@p varchar(400)', @prodname OWASP 47
Stored procedures in MS SQL cont.  Escaping character data Object name QUOTENAME(@v) Text <= 128 chars QUOTENAME(@v,'''') Text > 128 chars REPLACE(@v,'''','''''')  Example: SET @cmd = N'select * from authors where lname=''' + REPLACE(@lname, '''', '''''') + N''''  Escape only when you must! (use sp_executesql with parameters) OWASP 48
Stored procedures in Oracle  Oracle - use EXECUTE IMMEDIATE .. USING CREATE OR REPLACE PROCEDURE SP_ProductSearch(Prodname IN VARCHAR2) AS sqltext VARCHAR2(80); BEGIN sqltext := 'SELECT ProductID, ProductName, Category, Price WHERE ProductName=:p'; EXECUTE IMMEDIATE sqltext USING Prodname; ... END;  Escaping - DBMS_ASSERT package OWASP 49
Stored procedures in MySQL  Support for Dynamic SQL only through prepared statements  It's actually harder to make vulnerable procedure  Just use placeholders OWASP 50
Stored procedures in MySQL cont.  PREPARE / EXECUTE USING / DEALLOCATE PREPARE DELIMITER $$ CREATE PROCEDURE get_users_like ( IN contains VARCHAR(40)) BEGIN SET @like = CONCAT("%", contains, "%"); SET @sql = "SELECT * FROM users WHERE uname LIKE ?"; PREPARE get_users_stmt from @sql; EXECUTE get_users_stmt USING @like; DEALLOCATE PREPARE get_users_stmt; END$$ DELIMITER ; OWASP 51
Stored procedures in MySQL cont.  Or, even simpler DELIMITER $$ CREATE PROCEDURE get_users_like ( IN contains VARCHAR(40)) BEGIN SET @like = CONCAT("%", contains, "%"); SELECT * FROM users WHERE uname LIKE @like; END$$ DELIMITER ;  Escaping – QUOTE() function OWASP 52
Stored procedures in PHP  Different support level, depending on RDBMS  Common API (e.g. PDO) only for simple calls • No return from procedure • Returns scalar value in OUT parameter  Different API (or none at all) for advanced calls • e.g. cursors, fetching records sets  Almost no support in frameworks  Still some errors... OWASP 53
Stored procedures in PDO  Calling a procedure // MySQL $sql = "CALL get_users_like(:contains)"; // MS SQL – EXEC get_users_like :contains $stmt = $pdo->prepare($sql); $ret = $stmt->execute(array('contains' => $input)); foreach($stmt->fetchAll() as $users) { var_dump($users); } unset($s); OWASP 54
Stored procedures in Doctrine/Propel/Zend Framework  Doctrine - no support (use PDO) $pdo = Doctrine_Manager::connection()->getDbh();  Propel – likewise $pdo = Propel::getConnection(UserPeer::DATABASE_NAME);  Zend Framework – likewise $pdo = $db::getConnection(); OWASP 55
Stored procedures in MDB2  You need to manually escape all parameters! $mdb2->loadModule('Function'); $multi_query = $mdb2->setOption('multi_query', true); if (!PEAR::isError($multi_query)) { $result = $mdb2->executeStoredProc('get_users_like', array($mdb2->quote($contains, 'text'))); do { while ($row = $result->fetchRow()) { var_dump($row); } } while ($result->nextResult()); } OWASP 56
Stored procedures - gotchas  Data length CREATE PROCEDURE change_password @loginname varchar(50), @old varchar(50), @new varchar(50) AS DECLARE @command varchar(120) SET @command= 'UPDATE users SET password=' + QUOTENAME(@new, '''') + ' WHERE loginname=' + QUOTENAME(@loginname, '''') + ' AND password=' + QUOTENAME(@old, '''') EXEC (@command) GO OWASP 57
Stored procedures - summary  Moving SQL logic to server takes time  Code is not easily ported to other RDBMS  You need to use prepared statements or escaping to write safe stored procedures anyway  If done poorly, you're even more vulnerable • Both SP code and statement calling SP could be vulnerable • SP usually has greater permissions than code calling it  Bad support in PHP and frameworks OWASP 58
Stored procedures - summary SPs have many advantages outside our scope  Could be used with different clients (Java/.NET + PHP)  Could have better berformance  and many more... Conclusion: You can write secure stored procedures, but they usually increase the application cost considerably It is vital to write stored procedures protected against SQL injection OWASP 59
How to defend? Additional methods OWASP 60
Validation and filtering  Validate all external data  Validate before processing  Filter INPUT - escape OUTPUT  Different validation rules for each parameter - check e.g. • Type • Scalar / array • Min / max values • Character data length! [1] OWASP 61
Additional methods Complementary to all previously mentioned!  Principle of least privilege when connecting to DB  Removing unused functions, accounts, packages shipped with database  Routinely updating the system and database software  Correct PHP and database configuration • magic_quotes_* = false • display_errors = false  Good database design OWASP 62
Summary  Pay attention to SQL injection - even a single mistake could cost you!  Prefer complete solutions - e.g. frameworks  Filter and validate all input data  Remeber about data types and lengths  Prefer whitelisting to blacklisting - the latter will fail one day!  Use prepared statements whenever you can  Try to avoid escaping  In stored procedures double check your Dynamic SQL OWASP 63
Links  Discussed projects • sqlmap.sourceforge.net • php.net/manual/en/book.pdo.php • www.doctrine-project.org • propel.phpdb.org/trac • framework.zend.com • pear.php.net/package/MDB2  About SQL injection • www.owasp.org/index.php/SQL_Injection • unixwiz.net/techtips/sql-injection.html • delicious.com/koto/sql+injection  Hack me • threats.pl/bezpieczenstwo-aplikacji-internetowych • tinyurl.com/webgoat • mavensecurity.com/dojo.php  krzysztof@kotowicz.net http://blog.kotowicz.net OWASP 64

Recommended

Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Sql injection
Sql injectionSql injection
Sql injectionMehul Boghra
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Sql injection
Sql injectionSql injection
Sql injectionNikunj Dhameliya
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and FallaciesKarwin Software Solutions LLC
 

Recommended

Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Sql injection
Sql injectionSql injection
Sql injectionMehul Boghra
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Sql injection
Sql injectionSql injection
Sql injectionNikunj Dhameliya
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and FallaciesKarwin Software Solutions LLC
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)n|u - The Open Security Community
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniquesSongchaiDuangpan
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Abraham Aranguren
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONMentorcs
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseNoaman Aziz
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...
Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...
Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...Дмитрий Бумов
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSSMike Crabb
 
SQL Injection
SQL InjectionSQL Injection
SQL InjectionAsish Kumar Rath
 
Sql injection
Sql injectionSql injection
Sql injectionSasha-Leigh Garret
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
SQL injection
SQL injectionSQL injection
SQL injectionRaj Parmar
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...Edureka!
 
Sql injection
Sql injectionSql injection
Sql injectionNitish Kumar
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Webdpd
 
DemoDay Berlin Partners
DemoDay Berlin PartnersDemoDay Berlin Partners
DemoDay Berlin PartnersFabio Lombardi
 

More Related Content

What's hot

Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniquesSongchaiDuangpan
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Abraham Aranguren
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONMentorcs
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseNoaman Aziz
 
Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...
Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...
Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...Дмитрий Бумов
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSSMike Crabb
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...Edureka!
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 

What's hot (20)

Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 
Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...
Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...
Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже...
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
SQL injection
SQL injectionSQL injection
SQL injection
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 

Viewers also liked

Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Webdpd
 
DemoDay Berlin Partners
DemoDay Berlin PartnersDemoDay Berlin Partners
DemoDay Berlin PartnersFabio Lombardi
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security TutorialNeil Matatall
 
End to end web security
End to end web securityEnd to end web security
End to end web securityGeorge Boobyer
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practicesAmit Kejriwal
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Web application Security
Web application SecurityWeb application Security
Web application SecurityLee C
 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsFabio Lombardi
 
Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4Fabien Potencier
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 

Viewers also liked (11)

Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Web
 
DemoDay Berlin Partners
DemoDay Berlin PartnersDemoDay Berlin Partners
DemoDay Berlin Partners
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
 
End to end web security
End to end web securityEnd to end web security
End to end web security
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practices
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
Web application Security
Web application SecurityWeb application Security
Web application Security
 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutions
 
Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security Overview
 
Web Security
Web SecurityWeb Security
Web Security
 

Similar to SQL Injection: complete walkthrough (not only) for PHP developers

Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injectionbadhanbd
 
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormDefcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormguest785f78
 
Database design i_-_1_dl300
Database design i_-_1_dl300Database design i_-_1_dl300
Database design i_-_1_dl300KOI Lastone
 
SQL Injection: Amplifying Data Leakeage
SQL Injection: Amplifying Data LeakeageSQL Injection: Amplifying Data Leakeage
SQL Injection: Amplifying Data LeakeageUlisses Castro
 
Owasp Indy Q2 2012 Advanced SQLi
Owasp Indy Q2 2012 Advanced SQLiOwasp Indy Q2 2012 Advanced SQLi
Owasp Indy Q2 2012 Advanced SQLiowaspindy
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)SqliChema Alonso
 
SQL Injection in PHP
SQL Injection in PHPSQL Injection in PHP
SQL Injection in PHPDave Ross
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web VulnerabilityMiroslav Stampar
 
Php classes in mumbai
Php classes in mumbaiPhp classes in mumbai
Php classes in mumbaiaadi Surve
 
Php &amp; my sql - how do pdo, mysq-li, and x devapi do what they do
Php &amp; my sql - how do pdo, mysq-li, and x devapi do what they doPhp &amp; my sql - how do pdo, mysq-li, and x devapi do what they do
Php &amp; my sql - how do pdo, mysq-li, and x devapi do what they doDave Stokes
 

Similar to SQL Injection: complete walkthrough (not only) for PHP developers (20)

Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injection
 
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormDefcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
 
Advanced sql injection 2
Advanced sql injection 2Advanced sql injection 2
Advanced sql injection 2
 
Quebec pdo
Quebec pdoQuebec pdo
Quebec pdo
 
Sq linjection
Sq linjectionSq linjection
Sq linjection
 
Database design i_-_1_dl300
Database design i_-_1_dl300Database design i_-_1_dl300
Database design i_-_1_dl300
 
SQL Injection: Amplifying Data Leakeage
SQL Injection: Amplifying Data LeakeageSQL Injection: Amplifying Data Leakeage
SQL Injection: Amplifying Data Leakeage
 
Sql Injection V.2
Sql Injection V.2Sql Injection V.2
Sql Injection V.2
 
Owasp Indy Q2 2012 Advanced SQLi
Owasp Indy Q2 2012 Advanced SQLiOwasp Indy Q2 2012 Advanced SQLi
Owasp Indy Q2 2012 Advanced SQLi
 
Quebec pdo
Quebec pdoQuebec pdo
Quebec pdo
 
harry presentation
harry presentationharry presentation
harry presentation
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)Sqli
 
plsql les06
plsql les06 plsql les06
plsql les06
 
PHP - Intriduction to MySQL And PHP
PHP - Intriduction to MySQL And PHPPHP - Intriduction to MySQL And PHP
PHP - Intriduction to MySQL And PHP
 
SQL Injection in PHP
SQL Injection in PHPSQL Injection in PHP
SQL Injection in PHP
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web Vulnerability
 
Php classes in mumbai
Php classes in mumbaiPhp classes in mumbai
Php classes in mumbai
 
Php &amp; my sql - how do pdo, mysq-li, and x devapi do what they do
Php &amp; my sql - how do pdo, mysq-li, and x devapi do what they doPhp &amp; my sql - how do pdo, mysq-li, and x devapi do what they do
Php &amp; my sql - how do pdo, mysq-li, and x devapi do what they do
 
Bünyamin Demir - Secure YourApp
Bünyamin Demir - Secure YourAppBünyamin Demir - Secure YourApp
Bünyamin Demir - Secure YourApp
 
veracruz
veracruzveracruz
veracruz
 

More from Krzysztof Kotowicz

Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Krzysztof Kotowicz
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSKrzysztof Kotowicz
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Krzysztof Kotowicz
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuffI'm in your browser, pwning your stuff
I'm in your browser, pwning your stuffKrzysztof Kotowicz
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitationKrzysztof Kotowicz
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceKrzysztof Kotowicz
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraKrzysztof Kotowicz
 
Html5: something wicked this way comes
Html5: something wicked this way comesHtml5: something wicked this way comes
Html5: something wicked this way comesKrzysztof Kotowicz
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptKrzysztof Kotowicz
 
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptTworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptKrzysztof Kotowicz
 
Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Krzysztof Kotowicz
 
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Krzysztof Kotowicz
 

More from Krzysztof Kotowicz (17)

Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
 
Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSS
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
 
HTML5: Atak i obrona
HTML5: Atak i obronaHTML5: Atak i obrona
HTML5: Atak i obrona
 
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuffI'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
 
Html5: something wicked this way comes
Html5: something wicked this way comesHtml5: something wicked this way comes
Html5: something wicked this way comes
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScript
 
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptTworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
 
Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?
 
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
 

Recently uploaded

Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 

Recently uploaded (20)

Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 

SQL Injection: complete walkthrough (not only) for PHP developers

  • 1. SQL injection: complete walkthrough (not only) for PHP developers Krzysztof Kotowicz PHP Developer http://web.eskot.pl OWASP Medycyna Praktyczna krzysztof@kotowicz.net 10.03.2010 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. Plan  What is SQL injection?  Why is it so dangerous (demo)?  How to defend? • Prepared statements • Escaping • Stored procedures • Additional methods  Summary OWASP 2
  • 3. Discussed databases (RDBMS)  MySQL  Oracle  MS SQL Server  To some extent: • PostgreSQL • SQLite OWASP 3
  • 4. Discussed PHP projects  PDO – PHP data objects • Common interface for various RDBMS  Doctrine 1.2 • ORM (Object Relational Mapper) used e.g. in Symfony framework  Propel 1.4 • ORM, like Doctrine • Used in Symfony  Zend Framework 1.10 • Popular framework MVC for PHP  MDB2 2.4.1 • Database abstraction layer (DBAL) • Distributed through PEAR OWASP 4
  • 5. What is SQL injection? OWASP 5
  • 6. SQL injection – short definition It is a kind of web application attack, where user- supplied input coming from: URL: www.example.com?id=1 Forms: email=a@example.com Other elements: e.g. cookie, HTTP headers is manipulated so that vulnerable application executes SQL commands injected by attacker. OWASP 6
  • 7. Example – login form SELECT * FROM users WHERE login = '{$login}' and password_hash = MD5('{$password}') $login = "' or 1=1 -- "; "anything"; $password = "dowolne"; // zamierzalismy osiagnacthis(kod dane) you wanted to achieve to (code data) SELECT * FROM users WHERE login = '' or 1=1 -- ' and password_hash = MD5('dowolne') MD5('anything') // but server interprets it as SELECT * FROM users WHERE login = '' or 1=1 -- ' and password_hash = MD5('anything') User logs in without knowing the login nor password OWASP 7
  • 8. Why is it so dangerous? DEMO OWASP 8
  • 9. What are the possible threats?  Unauthorized access to application  Access to whole database / databases on the server  Denial of service  Database modification  Read / write files on server's filesystem  Code execution OWASP 9
  • 10. A few facts  Injection vulnerabilities are the 1st on OWASP Top 10 2010 RC  SQLi is responsible for 40–60% cases of data breach [1] [2]  Modern attack techniques are advanced and automated • Vulnerability is not only in WHERE part • Sometimes it is enough to break a query  Vulnerabilities are found on a daily basis, even in new applications OWASP 10
  • 11. How to defend? OWASP 11
  • 12. How to defend against SQL injection?  Source of vulnerability is mixing code with data SELECT * FROM users WHERE login = 'login' Defense methods Separating code from data prepared statements stored procedures Escaping OWASP 12
  • 13. How to defend? Prepared statements OWASP 13
  • 14. Prepared statements – how to use? 1. Preparing SQL command (string) Put placeholders where data should be WHERE a = ? ... WHERE a = :col 2. Send command to server PREPARE 3. Attach data to command 4. Execute command EXECUTE 5. Fetch results 3, 4, 5 could be repeated... 6. Clear the command OWASP 14
  • 15. Prepared statements - example  PDO // prepare command $stmt = $dbh->prepare("INSERT INTO SUMMARIES (name, sum) VALUES (:name, :sum)"); // attach data variables - WITH ITS TYPES! $stmt->bindParam(':name', $name, PDO::PARAM_STR); $stmt->bindParam(':sum', $sum, PDO::PARAM_INT); // bind values $name = 'something'; $value = 1234; // execute command $stmt->execute(); $stmt = null; //free memory OWASP 15
  • 16. Prepared statements - advantages  Commands are completely separated from data they operate on  Injection is not possible  Command is compiled only once - potential speedup $stmt->bindParam(':name', $name, PDO::PARAM_STR); $stmt->bindParam(':sum', $sum, PDO::PARAM_INT); // petla po danych... foreach ($do_bazy as $name => $value) { $stmt->execute(); } OWASP 16
  • 17. Prepared statements - caveats  Not all commands may be parametrised  You cannot put parameters everywhere -- error SELECT * FROM :table SELECT :function(:column) FROM :view -- not what you expect SELECT * FROM table WHERE :column = 1 SELECT * FROM table GROUP BY :column  Just using PS does not enforce using parameters in them  Sometimes they're emulated (it's a good thing!) OWASP 17
  • 18. Prepared statements in Doctrine  Uses PDO (emulated for Oracle) and prepared statements  Uses own DQL language instead of SQL $q = Doctrine_Query::create() ->select('u.id') ->from('User u') ->where('u.login = ?', ‘mylogin'); echo $q->getSqlQuery(); // SELECT u.id AS u__id FROM user u // WHERE (u.login = ?) $users = $q->execute(); OWASP 18
  • 19. Prepared statements in Doctrine cont.  It can still bite you $q = Doctrine_Query::create() ->update('Account') ->set('amount', 'amount + 200') ->where("id > {$_GET['id']}");  Correct this to: ->where("id > ?", (int) $_GET['id']);  NEVER put input data directly into SQL commands OWASP 19
  • 20. Prepared statements in Propel  Uses PDO, like Doctrine // through Criteria $c = new Criteria(); $c->add(AuthorPeer::FIRST_NAME, "Karl"); $authors = AuthorPeer::doSelect($c); // through custom SQL (sometimes it's more convenient) $pdo = Propel::getConnection(BookPeer::DATABASE_NAME); $sql = "SELECT * FROM complicated_sql JOIN some_big_join USING something WHERE column = :col)”; $stmt = $pdo->prepare($sql); $stmt->execute(array('col' => 'Bye bye SQLi!'); OWASP 20
  • 21. Prepared statements in Zend Framework  PDO (+ mysqli + oci8 + sqlsrv) // prepare + execute $stmt = $db->prepare('INSERT INTO server (key, value) VALUES (:key,:value)'); $stmt->bindParam('key', $k); $stmt->bindParam('value', $v); foreach ($_SERVER as $k => $v) $stmt->execute(); // prepare + execute in one step $stmt = $db->query('SELECT * FROM bugs WHERE reported_by = ? AND bug_status = ?', array('goofy', 'FIXED')); while ($row = $stmt->fetch()) echo $row['bug_description']; OWASP 21
  • 22. Prepared statements in MDB2  Based on different database drivers (mysql, oci8, mssql, ...)  Emulates PS, if database doesn't support them $types = array('integer', 'text', 'text'); $stmt = $mdb2->prepare('INSERT INTO numbers VALUES (:id, :name, :lang)', $types); $data = array('id' => 1, 'name' => 'one', 'lang' => 'en'); $affectedRows = $stmt->execute($data); $stmt->free(); OWASP 22
  • 23. Prepared statements - summary  They offer very good protection (if used properly)  Easy to use, small changes in code  Good support in frameworks  They have their limits  Sometimes they have to be used with other defense methods OWASP 23
  • 24. How to defend? Escaping data OWASP 24
  • 25. Escaping – how does it work?  Data and commands are still kept in a single variable, but we try to separate them inline  Numbers • Cast to (int) / (float) – don't use is_numeric [1]!  Texts are surrounded with single quotes : ' .. WHERE col = 'TEXT DATA' AND ... • If quote is inside the text, you need a way to distinguish it from the ending quote • Prepend a special character e.g. "" to a quote • Escaping rules depend on context! OWASP 25
  • 26. Escaping – context addslashes() Returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash () and NUL (the NULL byte). / Source: php.net manual / $user = addslashes($_GET['u']); $pass = addslashes($_GET['p']); $sql = "SELECT * FROM users WHERE username = '{$user}' AND password = '{$pass}'"; $ret = exec_sql($sql);  Are you safe? OWASP 26
  • 27. NO OWASP
  • 28. Escaping – context cont.  Different RDBMS have different ways of escaping data (it also depends on configuration)  addslashes() works just like MySQL only „by chance” RBDMS PHP function i've got quotes PDO $pdo->quote($val, $type) n/a (it depends) MySQL (mysql) mysql_real_escape_string i've got quotes MySQL (mysqli) mysqli_real_escape_string i've got quotes Oracle (oci8) n/d - str_replace() i''ve got quotes SQLite sqlite_escape_string i''ve got quotes MS SQL (mssql) n/d - str_replace() i''ve got quotes PostgreSQL pg_escape_string() i''ve got quotes OWASP 28
  • 29. Escaping – context cont. // SELECT * FROM users WHERE username = // '{$user}' AND password = '{$pass}' $_GET['u'] = "anything'"; $_GET['p'] = " or 1=1 -- "; // MySQL sees it as : SELECT * FROM users WHERE username = 'anything'' AND password = ' or 1=1 -- ' // SQLite / MS SQL / Oracle / PostgreSQL: SELECT * FROM users WHERE username = 'anything'' AND password = ' or 1=1 -- '  Don't use addslashes(), use PHP functions for your RBDMS  Are you safe now? OWASP 29
  • 30. ALMOST OWASP
  • 31. Escaping gotchas – charsets  Errors discovered in 2006 in PostgreSQL and MySQL [1] [2]  In some multibyte charsets despite escaping you can cause SQL injection  is „swallowed” by multibyte character  Example: • BF 27 [ ¬ ' ]  BF 5C 27 [ ¬ ' ] • First 2 bytes are character ¿ in GBK charset • Server will see ¿' OWASP 31
  • 32. Escaping gotchas – charsets  Some Asian charsets are vulnerable  Luckily - not UTF-8!  In PostgreSQL '' escaping was used (instead of ')  In mysql_real_escape_string() escaping is done with respect to current connection charset • Doesn't always work! [1] [2]  Charset also defines context OWASP 32
  • 33. Escaping gotchas – object names  Colum, table, database etc. names • No common good rule to escape them • Different reserved words, different maximum name lengths etc. If you need to get those names from the user - use whitelisting (blacklisting if you really can't do otherwise) OWASP 33
  • 34. Escaping gotchas – object names cont.  Example - sorting by column  There's a vuln. in $order, but you can't escape there $cat_id = (int) $_GET['cid']; $order = $_GET['column']; $stmt = $pdo->prepare("SELECT * FROM products WHERE cid = :cid ORDER BY $order"); $stmt->bindParam(':cid', $cat_id, PDO::PARAM_INT); if ($stmt->execute()) { ... } OWASP 34
  • 35. Escaping gotchas – object names cont.  Whitelisting $columns = array( // list of allowed columns 'product_name','cid','price', ); if (!in_array($order, $columns, true)) $order = 'product_name'; // default column  Blacklisting // only a-z and _ $order = preg_replace('/[^a-z_]/', '', $order); // max 40 characters $order = substr($order, 0, 40); OWASP 35
  • 36. Escaping in PDO  PDO::quote($value, $type, $len)  Length and type are sometimes ignored! • Cast numbers to (int), (float) • Texts – cut them manually $quoted = $pdo->quote($input, PDO::PARAM_STR, 40); OWASP 36
  • 37. Escaping in Doctrine  Careful with Doctrine quote()! $q = Doctrine_Query::create(); // not like this!!! $quoted = $q->getConnection()->quote($input, 'text'); $q->update('User')->set('username', $quoted); // quote() only changes ' to '' - exploit (MySQL): $input = 'anything' where 1=1 -- '; // escape through PDO - getDbh(): $quoted = $q->getConnection() ->getDbh() ->quote($input, PDO::PARAM_STR); // 'anything ' where 1=1 -- ' OWASP 37
  • 38. Escaping in Propel  Through PDO::quote() $pdo = Propel::getConnection(UserPeer::DATABASE_NAME); $c = new Criteria(); $c->add(UserPeer::PASSWORD, "MD5(".UserPeer::PASSWORD.") " ." = " . $pdo->quote($password), Criteria::CUSTOM); OWASP 38
  • 39. Escaping in Zend Framework  Functions quote(), quoteInto() $name = $db->quote("O'Reilly"); // 'O'Reilly' // simplified escaping for a single value $sql = $db->quoteInto("SELECT * FROM products WHERE product_name = ?", 'any string'); OWASP 39
  • 40. Escaping in MDB  quote() // quote() function - give type $query = 'INSERT INTO table (id, itemname, saved_time) VALUES (' . $mdb2->quote($id, 'integer') .', ' . $mdb2->quote($name, 'text') .', ' . $mdb2->quote($time, 'timestamp') .')'; $res = $mdb2->exec($query); OWASP 40
  • 41. Escaping - summary  Looks easy - search and replace  Just looks • You need to know the context (database, charset) • There are invalid implementations  Encourages invalid practices • concatenating strings to form a SQL command • ignoring numeric parameters  Use only if • You program for a single RDBMS • There is no other way OWASP 41
  • 42. How to defend? Stored procedures OWASP 42
  • 43. Stored procedures  SQL command(s) is moved to database server and stored there under a name  Client executes a procedure with input and output parameters  In output parameters client receives results  Data is formally separated from code  It's NOT enough OWASP 43
  • 44. Stored procedures cont.  Example for MS SQL – a vulnerable procedure CREATE PROCEDURE SP_ProductSearch @prodname varchar(400) AS DECLARE @sql nvarchar(4000) SELECT @sql = 'SELECT ProductID, ProductName, Category, Price FROM Product Where ProductName LIKE ''' + @prodname + '''' EXEC (@sql) ...  It's just like eval()! OWASP 44
  • 45. Stored procedures cont.  Same vulnerability in Oracle CREATE OR REPLACE PROCEDURE SP_ProductSearch(Prodname IN VARCHAR2) AS sqltext VARCHAR2(80); BEGIN sqltext := 'SELECT ProductID, ProductName, Category, Price FROM Product WHERE ProductName LIKE ''' || Prodname || ''''; EXECUTE IMMEDIATE sqltext; ... END; OWASP 45
  • 46. Stored procedures – Dynamic SQL  Vulnerability lies in Dynamic SQL • Data is again mixed with code in one variable  How to defend? • Separate the code from data • Escape OWASP 46
  • 47. Stored procedures in MS SQL  Separating code from data • use sp_executesql with parameter list CREATE PROCEDURE SP_ProductSearch @prodname varchar(400) = NULL AS DECLARE @sql nvarchar(4000) SELECT @sql = N'SELECT ProductID, ProductName, Category, Price FROM Product Where ProductName LIKE @p' EXEC sp_executesql @sql, N'@p varchar(400)', @prodname OWASP 47
  • 48. Stored procedures in MS SQL cont.  Escaping character data Object name QUOTENAME(@v) Text <= 128 chars QUOTENAME(@v,'''') Text > 128 chars REPLACE(@v,'''','''''')  Example: SET @cmd = N'select * from authors where lname=''' + REPLACE(@lname, '''', '''''') + N''''  Escape only when you must! (use sp_executesql with parameters) OWASP 48
  • 49. Stored procedures in Oracle  Oracle - use EXECUTE IMMEDIATE .. USING CREATE OR REPLACE PROCEDURE SP_ProductSearch(Prodname IN VARCHAR2) AS sqltext VARCHAR2(80); BEGIN sqltext := 'SELECT ProductID, ProductName, Category, Price WHERE ProductName=:p'; EXECUTE IMMEDIATE sqltext USING Prodname; ... END;  Escaping - DBMS_ASSERT package OWASP 49
  • 50. Stored procedures in MySQL  Support for Dynamic SQL only through prepared statements  It's actually harder to make vulnerable procedure  Just use placeholders OWASP 50
  • 51. Stored procedures in MySQL cont.  PREPARE / EXECUTE USING / DEALLOCATE PREPARE DELIMITER $$ CREATE PROCEDURE get_users_like ( IN contains VARCHAR(40)) BEGIN SET @like = CONCAT("%", contains, "%"); SET @sql = "SELECT * FROM users WHERE uname LIKE ?"; PREPARE get_users_stmt from @sql; EXECUTE get_users_stmt USING @like; DEALLOCATE PREPARE get_users_stmt; END$$ DELIMITER ; OWASP 51
  • 52. Stored procedures in MySQL cont.  Or, even simpler DELIMITER $$ CREATE PROCEDURE get_users_like ( IN contains VARCHAR(40)) BEGIN SET @like = CONCAT("%", contains, "%"); SELECT * FROM users WHERE uname LIKE @like; END$$ DELIMITER ;  Escaping – QUOTE() function OWASP 52
  • 53. Stored procedures in PHP  Different support level, depending on RDBMS  Common API (e.g. PDO) only for simple calls • No return from procedure • Returns scalar value in OUT parameter  Different API (or none at all) for advanced calls • e.g. cursors, fetching records sets  Almost no support in frameworks  Still some errors... OWASP 53
  • 54. Stored procedures in PDO  Calling a procedure // MySQL $sql = "CALL get_users_like(:contains)"; // MS SQL – EXEC get_users_like :contains $stmt = $pdo->prepare($sql); $ret = $stmt->execute(array('contains' => $input)); foreach($stmt->fetchAll() as $users) { var_dump($users); } unset($s); OWASP 54
  • 55. Stored procedures in Doctrine/Propel/Zend Framework  Doctrine - no support (use PDO) $pdo = Doctrine_Manager::connection()->getDbh();  Propel – likewise $pdo = Propel::getConnection(UserPeer::DATABASE_NAME);  Zend Framework – likewise $pdo = $db::getConnection(); OWASP 55
  • 56. Stored procedures in MDB2  You need to manually escape all parameters! $mdb2->loadModule('Function'); $multi_query = $mdb2->setOption('multi_query', true); if (!PEAR::isError($multi_query)) { $result = $mdb2->executeStoredProc('get_users_like', array($mdb2->quote($contains, 'text'))); do { while ($row = $result->fetchRow()) { var_dump($row); } } while ($result->nextResult()); } OWASP 56
  • 57. Stored procedures - gotchas  Data length CREATE PROCEDURE change_password @loginname varchar(50), @old varchar(50), @new varchar(50) AS DECLARE @command varchar(120) SET @command= 'UPDATE users SET password=' + QUOTENAME(@new, '''') + ' WHERE loginname=' + QUOTENAME(@loginname, '''') + ' AND password=' + QUOTENAME(@old, '''') EXEC (@command) GO OWASP 57
  • 58. Stored procedures - summary  Moving SQL logic to server takes time  Code is not easily ported to other RDBMS  You need to use prepared statements or escaping to write safe stored procedures anyway  If done poorly, you're even more vulnerable • Both SP code and statement calling SP could be vulnerable • SP usually has greater permissions than code calling it  Bad support in PHP and frameworks OWASP 58
  • 59. Stored procedures - summary SPs have many advantages outside our scope  Could be used with different clients (Java/.NET + PHP)  Could have better berformance  and many more... Conclusion: You can write secure stored procedures, but they usually increase the application cost considerably It is vital to write stored procedures protected against SQL injection OWASP 59
  • 60. How to defend? Additional methods OWASP 60
  • 61. Validation and filtering  Validate all external data  Validate before processing  Filter INPUT - escape OUTPUT  Different validation rules for each parameter - check e.g. • Type • Scalar / array • Min / max values • Character data length! [1] OWASP 61
  • 62. Additional methods Complementary to all previously mentioned!  Principle of least privilege when connecting to DB  Removing unused functions, accounts, packages shipped with database  Routinely updating the system and database software  Correct PHP and database configuration • magic_quotes_* = false • display_errors = false  Good database design OWASP 62
  • 63. Summary  Pay attention to SQL injection - even a single mistake could cost you!  Prefer complete solutions - e.g. frameworks  Filter and validate all input data  Remeber about data types and lengths  Prefer whitelisting to blacklisting - the latter will fail one day!  Use prepared statements whenever you can  Try to avoid escaping  In stored procedures double check your Dynamic SQL OWASP 63
  • 64. Links  Discussed projects • sqlmap.sourceforge.net • php.net/manual/en/book.pdo.php • www.doctrine-project.org • propel.phpdb.org/trac • framework.zend.com • pear.php.net/package/MDB2  About SQL injection • www.owasp.org/index.php/SQL_Injection • unixwiz.net/techtips/sql-injection.html • delicious.com/koto/sql+injection  Hack me • threats.pl/bezpieczenstwo-aplikacji-internetowych • tinyurl.com/webgoat • mavensecurity.com/dojo.php  krzysztof@kotowicz.net http://blog.kotowicz.net OWASP 64