Popular search on the home page showing and storing SQL injection statements

Please report bugs here!

Moderator: Thorsten

Post Reply
Arametheus
Posts: 17
Joined: Wed Sep 11, 2024 8:47 pm

Popular search on the home page showing and storing SQL injection statements

Post by Arametheus »

So we just launched the phpMyFaq.

we noticed on the home page a bunch of nulls showing up under popular searchs.

I looked in our DB and it has a bunch of SQL injections

Example

Code: Select all

') AND 5570=1547 AND ('DEOM'='DEOM
There are more but I don't want to paste it all. is there away you can filter these out so they are not stored in the DB when someone tries to put in a sql statement.

I will write a cleaner from our other system so they are not displayed but like to kill it when they submit it.
Top
Thorsten
Posts: 15723
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:
Contact Thorsten

Re: Popular search on the home page showing and storing SQL injection statements

Post by Thorsten »

Hi,

what solution would you suggest to avoid that?

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
Top
Arametheus
Posts: 17
Joined: Wed Sep 11, 2024 8:47 pm

Re: Popular search on the home page showing and storing SQL injection statements

Post by Arametheus »

you could add some kind of validation to the forms

here is one suggestion but not the greatest since the patterns could change.

then run this code on the search term before acting on the search and if it passes then execute the search.

Code: Select all

function validateSearchInput($input) {
    // Convert to lowercase to detect common SQL keywords regardless of case
    $inputLower = strtolower($input);

    // Pattern to detect SQL keywords and suspicious characters
    $pattern = '/(\b(select|union|from|all|where|insert|delete|update|null|count|table|or|and|into|create|drop)\b|--|;|\'|")/i';

    // Check if the input matches the pattern
    if (preg_match($pattern, $inputLower)) {
        // Reject the input if suspicious patterns are detected
        return false;
    }

    // Sanitize the input if needed or just return it if clean
    return htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
}

Another possible way would be search terms length so its less then x since most people don't type in a book to search for something.
Top
bflcafe
Posts: 1
Joined: Wed Dec 04, 2024 10:13 am
Location: https://geometrylite.io

Re: Popular search on the home page showing and storing SQL injection statements

Post by bflcafe »

Arametheus wrote: Thu Nov 14, 2024 9:52 am you could add some kind of validation to the forms

here is one suggestion but not the greatest since the patterns could change.

then run this code on the search term before acting on the search and if it passes then execute the search.

Code: Select all

function validateSearchInput($input) {
    // Convert to lowercase to detect common SQL keywords regardless of case
    $inputLower = strtolower($input);

    // Pattern to detect SQL keywords and suspicious characters
    $pattern = '/(\b(select|union|from|all|where|insert|delete|update|null|count|table|or|and|into|create|drop)\b|--|;|\'|")/i';

    // Check if the input matches the pattern
    if (preg_match($pattern, $inputLower)) {
        // Reject the input if suspicious patterns are detected
        return false;
    }

    // Sanitize the input if needed or just return it if clean
    return htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
}

Another possible way would be search terms length so its less then x since most people don't type in a book to search for something.
Thanks for the suggestion, this code works, I tested it.
Top
Post Reply

Return to “Bug reports”