Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion MySQL Injection
MySQL Injection
  • El Forum
    Guest
  •  
#1
04-14-2011, 09:35 PM

[eluser]lenswipe[/eluser]
Hi guys


Just gonna do quite a complex site with CI, but i want to know if i need to escape my user input before i pass it to active record, or does active record escape everything for me?

Cheers


-Robert
  • El Forum
    Guest
  •  
#2
04-14-2011, 10:49 PM

[eluser]lisahill[/eluser]
MySQL Database is a great product used by thousand of websites. Various web applications use MySQL as their default database. Some of these applications are written with security in mind, and some are not. In this article, I would like to show you how you can exploit SQL injection in order to gain almost full control over your webserver.

Most people know that SQL injection allows attackers to retrieve database records, pass login screens, change database content, through the creation of new administrative users. MySQL does not have a built-in command to execute shell commands, like Microsoft SQL server. I will show you how to run arbitrary commands using standard features provided by MySQL.

First of all, I would like to give a brief description of SQL injection, then I would like to present you with a couple less known methods that exist in MySQL, which I will use to backdoor a webserver. I will use 2 built-in MySQL commands - one that writes arbitrary files and the one that can be used to read arbitrary files. After that I will describe webshells and go to the attack itself.

College Girls
  • El Forum
    Guest
  •  
#3
04-15-2011, 12:14 AM

[eluser]InsiteFX[/eluser]
@lisahill Fool!

@lenswipe

If you use the CodeIgniter Active Record it escapes all fields for you!

The only other thing you will need to do is xxs_clean your input data
Code:
// Global xxs_clean - application/config/config.php
$config['global_xss_filtering'] = TRUE;

// Manual xxs_clean
$this->input->post('some_data', TRUE);

InsiteFX
  • El Forum
    Guest
  •  
#4
04-15-2011, 04:36 AM

[eluser]eoinmcg[/eluser]
what @InsiteFX says.

using codeigniter's active record class will automatically escape input
http://ellislab.com/codeigniter/user-gui...ecord.html

or, if you prefer writing the SQL manually you can also use query bindings:
http://ellislab.com/codeigniter/user-gui...eries.html
  • El Forum
    Guest
  •  
#5
04-15-2011, 04:44 AM

[eluser]lenswipe[/eluser]
I think im using the active record class...

im doing $data['query'] = $this->db->get->('tablename');

is that active record?
  • El Forum
    Guest
  •  
#6
04-15-2011, 04:45 AM

[eluser]coderedmax[/eluser]
@InsiteFX

Just to clear, If :

$config['global_xss_filtering'] = TRUE;

it filters also like GET, COOKIE and etc?
  • El Forum
    Guest
  •  
#7
04-15-2011, 05:06 AM

[eluser]eoinmcg[/eluser]
@lenswipe yes, that is active record. and it will escape all your queries. that's not to say that you shouldn't filter all input. for example, it your site implements user comments you'll want to run them through xss_clean as @InsiteFX points out.
  • El Forum
    Guest
  •  
#8
04-15-2011, 05:18 AM

[eluser]eoinmcg[/eluser]
@coderedmax the user manual states that it will clean POST and COOKIE data but a look at the code shows that the GET array and $_SERVER['PHP_SELF'] are also sanitised.
https://bitbucket.org/ellislab/codeignit...php#cl-435
  • El Forum
    Guest
  •  
#9
04-15-2011, 06:18 AM

[eluser]lenswipe[/eluser]
thanks for the help eoinmcg Smile
  • El Forum
    Guest
  •  
#10
04-15-2011, 02:49 PM

[eluser]InsiteFX[/eluser]
@coderedmax

Global xss is also cpu hog!

Thats why most users do not use it!

InsiteFX




Theme © iAndrew 2016 - Forum software by © MyBB