xRobot xRobot - 4 months ago 15
SQL Question

Someone has hacked my database - how did this guy do it?

Someone has hacked my database and has dropped the table.

In my PHP page there is one single query where I am using mysql_real_escape_string:

$db_host="sql2.netsons.com";
$db_name="xxx";
$username="xxx";
$password="xxx";

$db_con=mysql_connect($db_host,$username,$password);

$connection_string=mysql_select_db($db_name);
mysql_connect($db_host,$username,$password);
mysql_set_charset('utf8',$db_con);

$email= mysql_real_escape_string($_POST['email']);
$name= mysql_real_escape_string($_POST['name']);
$sex= mysql_real_escape_string($_POST['sex']);

if($_POST['M']!=""){ $sim = 1; }else { $sim = 0; }

$query = "INSERT INTO `users` (`email`, `name`, `sex`, `M`) VALUES
( '".$email."', '".ucwords(strtolower($name))."', '".$sex."','".$sim."')";

$res = mysql_query($query) or die("Query fail: " . mysql_error() );

mysql_close($db_con);


And
register_globals
is disabled.

So, how did this guy hack my database?

Answer

mysql_real_escape_string

The MySQL connection. If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() was called with no arguments. If no connection is found or established, an E_WARNING level error is generated.

As explain here : Does mysql_real_escape_string() FULLY protect against SQL injection?

Based on your code snippet, you have connected database twice.

$db_con=mysql_connect($db_host,$username,$password);    

$connection_string=mysql_select_db($db_name);
mysql_connect($db_host,$username,$password);    
mysql_set_charset('utf8',$db_con); 

And you did not supply the database link identifier for :

$email= mysql_real_escape_string($_POST['email']);
$name= mysql_real_escape_string($_POST['name']);
$sex= mysql_real_escape_string($_POST['sex']); 

Therefore, mysql_set_charset has no effect to real escape supplied$_POST for multi-bytes characters.

Suggestion

  • remove the second mysql_connect($db_host,$username,$password);
  • explicitly add $db_con when doing mysql_real_escape_string
Comments