Farvour's Blog

So I am working today and receive an e-mail from the boss man about one of our clients websites getting “hacked” by a Palestinian hacking group. Apparently they used some MySQL query injections on one of our old sites. Gotta love legacy code. Well the site wasn’t escaping the strings properly passed from the URL GET or the POST variables and they managed to reset the admin section usernames and passwords. They then proceeded to log into the admin interface for the site and upload a “Your site has been haxX0red!!!” image. Lovely.

In either case, the solution is to properly re-write your SQL queries as to not leave a gaping hole if someone decides to pass non-typical form data to the script. The following code is bad:

// username and password sent from signup form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
$sql="SELECT * FROM members WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

So I guess it’s another handful of old sites to fix since a bunch of others are using the same code. /sigh/ The correct way this code should have been written:

// username and password sent from signup form
$myusername=mysql_escape_string($_POST['myusername']);
$mypassword=mysql_escape_string($_POST['mypassword']);
$sql="SELECT * FROM members WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);