SQL Injection and shell command vulnerability's

[daiondoroga]

Can anyone give me direction on what these 2 vulnerability's are and what is the easiest way to protect against them.

I have thought about surpressing certain characters on input fields. I was hoping for more information.

 

[krakjoe]

shell command vulnerabilities only exist when a user has access to shell, mostly that's not a problem as those that you trust to have shell access are most likely only admin anyway.

As for SQL Injections, this is a generic term, there are several forms of attack for several different web applications, the majority of the time, the vulnerability is fixed as soon as it's found, which software are you talking about in particular ?

 

[hiker13526]

Simple SQL vulerability:

Webpage visited:

/login.php?user=john&pass=doe

PHP (for lengths sake, assume already connected to MySQL:

<?php
$user = $_GET['user'];
$pass = $_GET['pass'];
$query = "SELECT * FROM `users` WHERE `name` = '$user' AND `pass` = '$pass'";
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);
echo 'Username: '. $row['name'] .'<br />Password: '. $row['pass'];
?>

and the hacker would vist this address:

/login.php?user=john&pass=' or 1=1

so the sql query would be:

SELECT * FROM `users` WHERE `name` = 'john' AND `pass` = '' or 1=1'

This would return john and his password. VERY common vulnerability.

*EDIT* Oh, and heres a way to NOT have that happen:

function validateString($input) {
	return preg_match('/^[a-zA-Z0-9]+$/', $input);
}

Simple enough? Returns true if the string is only letters and numbers, and false if it contains other characters.

As a side note, any and all code in this post is released into the public domain, so feel free to use it as such.