Finding blind_SQL vulnerability in php site code

Question

Hi I'm really a beginner in the web domain and I was wondering if someone could guide me in where should I look for the blind sql injection vulnerability in the code of the whole forum For example if this is the exploit of the vulnerability index.php?m=content&c=rss&catid=[valid catid] where should I look for in the code for the portion which validates user form & url input; I'm really a beginner in php and how should I fix it.

Answer 1

Each $_GET, $_POST, $_COOKIE, (and even $_SERVER) superglobal input must be validated and not trusted.

If you use any of them in your code, if it's going to database, use mysql_real_escape_string; if it will be displayed directly as html on your website (as well as if it is called from the database), you should check for XSS, using functions like htmlentities, htmlspecialchars, strip_tags etc.

Answer 2

If you are worried about SQL Injection then you have bad design. You should be using parametrized queries with a library like ADODB or PDO. Then there is no question, you are 100% protected against SQL Injection.

For testing for blind sql you can do somthing like: index.php?m=content&c=rss&catid=sleep(30).

This request should take 30 seconds for the page to load. If you need a quote mark then the payload would look something like ' and sleep(30) or 1='.

To patch this vulnerability you know that catid should be an int. So at the top of that page you can add this line: $_GET['catid']=intval($_GET['catid']);

Answer 3

There is alot of material around where to read about php security. A few links:

• http://php.robm.me.uk/
• https://stackoverflow.com/questions/2119083/php-tutorial-that-is-security-accuracy-and-maintainability-conscious
• http://www.techrepublic.com/article/secure-your-web-applications-by-validating-user-input-with-php/6078577

Your question regarding form input: One of the first things you should look into and use is mysql_real_escape_string.