Hack this code: possible mysql injection

Ok - as always - edited to protect my employer - or my job

So, I've been auditing some code for my employer, and I found some unfiltered code a mysql query.

The url from /news is /newsitem/12  where 12 is the ID of the article.

Then, here is the code:

$newsID = basename($_SERVER['REQUEST_URI']);
$sql = "select * from Tnews where newsID={$newsID}";


So, I've already fixed this - so no worries, but I'm having a hard time actually proving the SQL injection issue here.  Every time I put something in there, it gets urlencoded (obviously) by the browser.  I've been able to successfully break the sql, but never get extra info.  I've also tried telnet connections to the apache server - but any non-url encoded urls generate 400 errors for bad request.

Anyone have any ideas?

$newsID = basename($_SERVER['REQUEST_URI']);
$sql = "select * from Tnews where newsID=".(int)$newsID;

lol

[Join us @ facebook]

The (int) is always good to use for numeric queries.

Now if you are looking for something fast that will work on anything (but may cause other kind of problems) you can try something like this:

$_SERVER['REQUEST_URI'] = addslashes( $_SERVER['REQUEST_URI'] );
?>

The (int) is always good to use for numeric queries.

Now if you are looking for something fast that will work on anything (but may cause other kind of problems) you can try something like this:

$_SERVER['REQUEST_URI'] = addslashes( $_SERVER['REQUEST_URI'] );
?>

Nick he called it a record id (which is a number)

your snippet doesn't work on all machines, it must be:

$theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;

You guys aren't getting my question.

I've fixed the issue from that previous programmer.

My question is: how can you do some sql injection with that old code.  And changing the ID to be that of another news article is not injection ...

[Join us @ facebook]

Oh right, this way you can't besides getting another article. But what if someone add a ; and run another query? Will this be executed?

Example :

$newsID = "'' OR 1 =1 ; DELETE * FROM users";

Nope - it gets URL encoded in the URL.

Try this:

make a php file named test.php

inside of it put:
echo basename($_SERVER['REQUEST_URI']);

Start experimenting with adding additional items onto the end of it... so...
test.php/123
test.php/; select *

see how the results look to get a better idea of what I'm talking about

This is depressing.  I've posted this query among several boards - and everyone keeps replying with generic solutions - as if it was a $_GET result and not from the $_SERVER['REQUEST_URI']; 



I guess I'm just going to assume that even though I 'fixed' the errors, it never could have been exploited...

[Guest]

[62.885]

Googlebot, Yahoo crawler