>
> So now my questions are;
> Is the default LAMP stack on Ubuntu Server immune from SQL Injections?
> If I move my PHP script to a freshly-installed Hardy, will I get the same
> result?
>

The way in which the LAMP stack is distributed on Ubuntu may leave
_your_ applications immune to such attacks; however, I think it would
be unwise to assume immunity to SQL injections on _any_ default system
set-up.

Philip

P.S. Test, test and test again

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

On Wednesday 07 May 2008 09:11:09 Dax Solomon Umaming wrote:
> Our server's still using Gutsy, and I've tried snippets from
> http://en.wikipedia.org/wiki/SQL_injection . I'm surprised to see that PHP
> escaped them with . I've echoed almost all forms on my scripts with the
> same results.

This is most likely the result of magic_quotes_gpc being enabled in PHP.

> So now my questions are;
> Is the default LAMP stack on Ubuntu Server immune from SQL Injections?
> If I move my PHP script to a freshly-installed Hardy, will I get the same
> result?

Yes, magic_quotes_gpc seems to be the default in Hardy as well.

Personally I don't think that is something you should rely on. What if you in
the future move the page to another server, with different settings?

As Onno Benschop mentions; mysql_real_escape_string() is a good function to
use. It might also be a good idea, when possible, to validate your input.

--
Andreas Olsson
http://www.andreasolsson.se/
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

On Wednesday 07 May 2008 3:28:19 pm Onno Benschop wrote:
> Fortunately, PHP comes with a lovely function to help you:
> mysql_real_escape_string()

I have been reviewing the PHP Manual's mysql_real_escape_string() before I
started this thread. I just didn't see any need for implementing it since all
inputs are escaped. Now that I know, I have to do some major refactoring.

Thanks for your input.

--
Dax Solomon Umaming
http://blog.knightlust.com/
GPG: 0x715C3547
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Dax,

Just as a suggestion, it would be better to be redundent in a case like this. Just because it appears that input has been sanitized else where, I still re-evaluate/clean it before sending it to the SQL server. Just in case something along the way gets altered or a different function causes an error.

In security this is a good practice and will result in far more secure code. You must always double-check user input period.

Another note, don't rely on the front-end to secure the input (things like javascript). Clean the input on the backend. An attacker can easily alter the front-end code, and/or bypass security checks, sending unsanitized input.

Yes, you should even clean/check input from a drop-down.

Hope this helps!

Thanks,
Justin M. Wray

Sent via BlackBerry by AT&T

-----Original Message-----
From: Dax Solomon Umaming <knightlust@ubuntu.com>

Date: Wed, 7 May 2008 16:03:32
To:ubuntu-server@lists.ubuntu.com
Subject: Re: SQL Injection immunity on Ubuntu


On Wednesday 07 May 2008 3:28:19 pm Onno Benschop wrote:
> Fortunately, PHP comes with a lovely function to help you:
> mysql_real_escape_string()

I have been reviewing the PHP Manual's mysql_real_escape_string() before I
started this thread. I just didn't see any need for implementing it since all
inputs are escaped. Now that I know, I have to do some major refactoring.

Thanks for your input.

--
Dax Solomon Umaming
http://blog.knightlust.com/
GPG: 0x715C3547

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Hi Dax,

On Wed, May 07, 2008 at 03:11:09PM +0800, Dax Solomon Umaming wrote:
> If I move my PHP script to a freshly-installed Hardy, will I get the same
> result?

I echo everyone else's comments on this topic, and only add that I would
recommend using a database interface that provides proper "Binding".
Instead of the old "mysql", please consider switching to "mysqli"[1]
(or ADOdb[3]). This would totally side-step the need for doing manual
string escapes, and lets the database take care of it directly. This
tends to be much less code to write, makes it harder to make mistakes,
etc. Instead of building up a long string including parameters that
may need to be escaped, build up the query string with place-holders,
and add the parameters as function arguments. Example lifted from the
mysqli bind-param docs[2]:

$stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");
$stmt->bind_param('sssd', $code, $language, $official, $percent);

$code = 'DEU';
$language = 'Bavarian';
$official = "F";
$percent = 11.2;

/* execute prepared statement */
$stmt->execute();


I hope that helps!

-Kees

[1] http://us3.php.net/manual/en/book.mysqli.php
[2] http://us3.php.net/manual/en/mysqli-stmt.bind-param.php
[3] http://phplens.com/lens/adodb/tips_portable_sql.htm (see "Binding")

--
Kees Cook
Ubuntu Security Team

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam