Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming SQL Injection: HTML entity codes bypassing Active Record security
SQL Injection: HTML entity codes bypassing Active Record security
  • El Forum
    Guest
  •  
#1
07-29-2011, 04:02 AM

[eluser]tical[/eluser]
I know CI is meant to escape SQL queries against SQL Injection when Active Records is used, however, I decided to actually test it, and to my confusion, I can beat it very simply when submitting html entity codes.

In my example, data is retrieved from a text input field using:
Code:
$this->input->post('my_field');

If I was to submit the value:
Code:
1' OR `column` != '1

And enter it into an Active Record query as follows:
Code:
$data = $this->input->post('my_field'); // Value = 1' OR `column` != '1

$this->db->get_where('my_table', array('column' => $data));

echo $this->db->last_query();

It outputs the MySQL statement:
Code:
SELECT * FROM `my_table` WHERE `column` = '1' OR `column` != '1'

Which in this example would return every record in the table.
Is this a serious bug, or is something wrong with my implementation?

I'm using CI 2.0.2 Reactor.
  • El Forum
    Guest
  •  
#2
07-31-2011, 06:56 PM

[eluser]tical[/eluser]
I have realised there is no actual problem with the above example.

The reason the injected SQL query appeared to be perfectly formatted, is because the $this->db->last_query() function is of course returning the SQL statement to the browser, which then converts the HTML entity code into an apostrophe (').

However, when the injected SQL query was run by the database, it would still be run as a non converted HTML entity code.
  • El Forum
    Guest
  •  
#3
08-03-2011, 01:01 PM

[eluser]John Murowaniecki[/eluser]
..Also knowing as 'do you see what I see?' problem. The query isn`t shown how it is interpreted..
  • El Forum
    Guest
  •  
#4
08-04-2011, 09:57 AM

[eluser]John_Betong_002[/eluser]
I was intrigued and decided to test your script on this forum's search utility and was absolutely amazed at the result Smile
 
 
  • El Forum
    Guest
  •  
#5
08-04-2011, 10:02 AM

[eluser]nevsie[/eluser]
SO the summary here is that it displays the details through the browser, but does not get executed right?
  • El Forum
    Guest
  •  
#6
08-04-2011, 07:02 PM

[eluser]tical[/eluser]
[quote author="nevsie" date="1312491728"]SO the summary here is that it displays the details through the browser, but does not get executed right?[/quote]

Correct.

The database executes the query in the exact html entity format that it was submitted - nothing is converted into another character.

To confirm this you can use the htmlentities() function:
Code:
echo htmlentities($this->db->last_query());


Which returns the query exactly how the database called it:
Code:
SELECT * FROM `my_table` WHERE `column` = '1' OR `column` != '1'




Theme © iAndrew 2016 - Forum software by © MyBB