Note: These attacks work on the previous version of the q-store (11/27)
The code in this folder will protect against these attacks.
---------- SQL Injectoin ---------------
---- Attack 1: DROP Table from get reviews
URL:
your_cloud_9/q-store/reviews.php?product_id=1
SQL statement in PHP:
SELECT product_id, review FROM reviews
WHERE product_id = $product_id;
Set $review to: 1; DROP TABLE reviews; --
Then SQL statement becomes:
SELECT product_id, review FROM reviews
WHERE product_id = 1; DROP TABLE reviews; --
new url:
your_cloud_9/q-store/reviews.php?product_id=1; DROP TABLE reviews; --
---- Attack 2: DROP Table from post reviews
Enter new review
SQL statement in PHP:
INSERT INTO reviews (product_id, review)
VALUES ($product_id, '$review');
Set $review to: '); DROP TABLE reviews; --
Then SQL statement becomes:
INSERT INTO reviews (product_id, review)
VALUES ($product_id, ''); DROP TABLE reviews; --
---- Attack 3: SELECT data from another table
URL:
your_cloud_9/q-store/reviews.php?product_id=1
SQL statement in PHP:
SELECT product_id, review FROM reviews
WHERE product_id = $product_id;
Set $product_id to: 1 UNION SELECT name, secret FROM secret_info
Then SQL statement becomes:
SELECT product_id, review FROM reviews
WHERE product_id = 1 UNION SELECT name, secret FROM secret_info;
new url:
your_cloud_9/q-store/reviews.php?product_id=1 UNION SELECT name, secret FROM secret_info
---- Fix: use the PHP PDO quote function
$prod_id = $db->quote($_POST["product_id"]);
---------- HTML Injectoin ---------------
Note: You have to fix the sql injection problem for these to work,
otherwise you will get errors on the sql statements.
Entered as comments:
--- Add a button for people to click on:
--- Add a paragraph for people to hover over:
This text is innocuous!
--- Add an image that will automatically run script when image fails to load:
A perfectly harmless review.
---- fix:
use textContent instead of innerHTML
---- fix:
use textContent instead of innerHTML