Is it possible hack Phosphorus Five with SQL injection?

The reason why I ask this question, is because a scientific database was recently hacked in the area where I previously used to live. The main IT magazine of Norway, wrote about the hack, because the hacker who hacked it, or rather proved it was possible, tipped of this IT magazine as a “white hat hacker”.

The answer to the above question though, is; “Yes, but you’d have to break every single best practice in P5 to allow for it.” The default and recommended way to create MySQL queries in P5, is by using the SqlParameter collection. This makes it impossible to create an SQL injection attack on anything running P5. An example of a MySQL query can be found below.

p5.mysql.connect:[connection]
  p5.mysql.select:@"select * from customer where name = @name"
    @name:x:/../*/name-argument?value

This will make sure the given “name-argument” is correctly added into the SQL as an SQL Parameter, and not simply concatenated as a string into the resulting SQL. For the record, you should never create your own SQLs simply by concatenating strings. At least not when parts of that string, is created using parameters typed into some web form by an end user. The reason is because the end user might type in something like this; “x’\r\nselect password, username from users” – Which of course will result in the end user having access to all username and/or passwords for your database.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s