Is it possible to manipulate SESSION variables to perform SQL Injection?

Asked

Viewed 258 times

3

I’m not an expert on cyber attacks and I have a little doubt about the safety of my projects. Basically one of the ways I prevent injections SQL is creating a function "treatString()", for example, and all the data entering externally I filter them through this function. Beauty! Works...!

I know it’s possible to manipulate externally COOKIES of a browser maliciously to the point where the application uses the $_COOKIES, the injection happens. So also the filters through the above function.

The question is... the variables of SESSION are also possible to manipulate maliciously? Should I warn myself with them too? It is possible to manipulate them externally, as well as the COOKIES?

If yes, I’m screwed. Because all the projects I created, I didn’t prevent the injection via SESSION and the first ones I did I didn’t even use PDO for connection in bank. And worse, I remember to work directly with the session variareis on the instructions SQL.

Any guess?

I appreciate the support. Hugs!!

php mysql pdo security-guard sql-injection
  • 4

    This is usually the first problem indicator: "one of the ways that I prevent SQL injections is by creating a "trataString function()", for example, and all the data entering externally I filter them through this function." - If you use Mysql, you already have the correct function for this. There’s no reason to do a separate one (like those freaks who keep putting out that "Antiinjection() function crap on the forums). Once the string is sanitized the right way when mounting the query, using native function, injection does not occur.

  • 2

    SQL Injection only occurs if you use string concatenation to create queries, e.g..: string sql= "select * from tabela where campo="+ variavel_campo. You inject an sql into the variavel_campo, as '1 or 1=1;Drop table a table;'. An easy way to avoid SQL Injection is to use parameters instead of concatenation

  • 3

    Alternatively to the correct function (in the case of mysqli, for example the mysqli_real_escape_string), you can make the values Binding, but remember that this is optional. Contrary to what the "understood" disclose, Binding (native, not PDO simulated, for example, which is more of a kind of embellishment) was not made to avoid injection, but to reuse query.

  • I appreciate the personal help. Today I already use Mysqli, Pdo, parameters and sometimes native functions. My doubt is only in relation to the manipulation of SESSION because I have several projects already published that I remember not having all this security. My concern is not with my next projects, but with the ones I did before. You see?

2 answers

1


As friends have commented above, it is important to use tried and tested methods that are therefore safe for filtering data, such as mysql_real_escape_string.

However, since your question is related to SQL Injection via session variables, the answer is perhaps. A client cannot modify a session variable directly, since it is only accessed on the server side. However, if from bad programming practices the developer stores information that can be manipulated by the user into session variables the answer can be yes. Only this is an indirect manipulation. An example of "indirect manipulation" of the session can be seen here: https://security.stackexchange.com/questions/2070/altering-a-session-variable-in-php-via-xss

It is important to emphasize that all data that can be manipulated by the user deserves attention and should be sanitized.

1

If the session stores some value that is informed by the user: yes. A common case would be:

  1. The user enters the name of "or"1"="1

  2. You make a INSERT tabela(name) VALUES ("\"or"1"="1")
    In this case no "SQL Injection" is performed, you simply have a name like any string.

  3. Then the user accesses a page, where you retrieve the nome of the bank and creates a Session with it, which will result in $_SESSION['nome'] = "or"1"="1.

  4. Then you decide to make one SELECT * WHERE nome = "$_SESSION['nome']", in this case will stay exactly: SELECT * WHERE nome = ""or"1"="1", thus obtaining all the data instead of the specific for the name.

Browser other questions tagged php mysql pdo security-guard sql-injection

You are not signed in. Login or sign up in order to post.