web vulnerability - mysql database error 1

[dpctelcom]

This may be part of this forum, as it may be fixed through PHP, but as I am new to MySQL and PHP (a desktop tech trying to understand software), I am posting here and hoping someone can direct me.

I use a web security site scanning process to check the e-store for the company I work for, and keep getting the same vulverability (MySQL database error disclosure vulnerability). I know that it has to do with the forms on my site, and that I need to sanitize the data before being sent to the database, but I have no idea how to go about it.

The company has a hosted server with GoDaddy.com, and an employee before I came along, and since left, originally set up the e-store on the server, and I believe a SQL server is also housed on it, and it uses myPHPadmin to do whatever programming for the SQL server.

My big question is how to go into the SQL server and sanatize the data, and remember, I may need detailed instructions, as if you were trying to explain to someone never seeing a computer.

Thanks in advance.

 

[jpadie]

to sanitise data before submitting it to mysql, use mysql_real_escape_string() and ensure that you properly enquote you values or an abstraction layer like PDO with placeholders, that does the escaping and enquoting for you.

however the description of your error is more that the mysql errors are exposed to the user, rather than any other vulnerability in particular. To suppress errors either prepend the mysql_* function with a @, turn error_display off either in the code ini_set('display_errors', false); or in php.ini (don't forget to restart the server afterwards.

 

[dpctelcom]

I finally got around to figuring out how to get to the right files, and where to look, and verified in my etc\php.ini file that 'display_errors' was set to off, and the logs was on.

I did the scan again, and it still shows the same vulnerability: MySQL database error disclosure vulnerability.

Any other suggestions?

Also, if sanitising the data will help, I do not know where to put the mysql_real_escape_string() to sanitise the data. Is it a specific file like the php.ini file?

 

[jpadie]

no. all user submitted data should be sanitised. mysql_real_escape_string() is a normal function. it takes a string as an argument and returns a string.

for example

//connect to db
$sql = "insert into table mytable (id, myvalue) values (NULL, '%s')";
$query = sprintf($sql, mysql_real_escape_string( $_POSE['someVariable']));

see further

http://php.net/mysql_real_escape_string

but do not assume that any 'vulnerability' scanner is accurate or helpful. learn about how to code, how to protect your site, how to secure against attack vectors yourself and then use such tools as aides to help spot errors. the fact that someone/thing else considers your site to be vulnerable does not, by any means, conclusively determine that it is vulnerable.

 

[dpctelcom]

I think I understand about not trusting every sites scan results, as I found the following in one of the *.php files that is part of the root of my website.

//
// Sanitize input data
//
function fn_safe_input($data)
{
	if (is_array($data) && !empty($data)) {
		foreach ($data as $key => $value) {
			if (preg_match('/^[_A-Z\-0-9]+$/', $key)) {
				$data[$key] = preg_replace('/(\$|\\\|{|}|\\[|\\]|\\(|\\)|\\^|~|\\?|\\*|\\||`|;|&|#)/', '\\\\$1', $value);
			}
		}
	}

	return $data;
}

So it does look like it is being handled, just not being recognized through the McAfee Scans.

Thanks for your time and assitance.

 

[jpadie]

I'm not sure that is protecting against SQL injection but it might. It will only work with arrays though. Not strings