While reading the SANS Internet Storm Center’s RSS feed, I found an interesting article on SQL Injections. http://isc.sans.org/diary.html?storyid=5416

The intriguing part was doing injections without the use of quote or semicolons.  Which allowed me to do some injections of my own on a production server!

It really is very important to treat any data coming from the Internet as ‘tainted’, and sanitize it.  If you think it can’t be ‘tainted’, download a copy of Opera.  Visit the web page with Opera.  Use View Source, and edit away!  Change all the default values you expect to unsafe data.  Click the Apply Changes button.  Use your altered form to inject with.

Notes from my experience:

  1. Remove debugging messages that show the final SQL statement.  Showing the statement allows the attacker to see what they need to change in their input to cause the SQL to behave badly.  Note:  Showing "SQL error" is just as bad!  Better to say, "No records found".
  2. Log SQL errors.  Any form input in production should never generate a SQL error.
  3. Test, test, and retest.  Once you know what to look for, share what you have found with the rest of your development team.  Security is paramount in this day and age.
  4. Code review.  Look for code that doesn’t sanitize input.
  5. Add these checks into your routine testing process.
  6. Try not to laugh when using PHP and security in the same sentence.  It can be done, really!  And secure PHP code can be written, really!