Strange problem appeared today on our server.
We’ve got DDOS from % and _ signs in mysql query which were successfully passed through GET request. For example
domain.com/search/%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25v%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25%25a
it appears to be cakephp doesn’t filter them? in official mysql guide they write about this problem a lot. that’s how they demonstrate to solve this:
addcslashes(mysql_real_escape_string(“%something_”), “%_”);
in cakephp framework there’s function escape() which used everywhere in models. and look what it contains:
/**
* Returns a quoted and escaped string of $data for use in an SQL statement.
*
* @param string $data String to be prepared for use in an SQL statement
* @param string $column The column into which this data will be inserted
* @param boolean $safe Whether or not numeric data should be handled automagically if no column data is provided
* @return string Quoted and escaped data
*/
function value($data, $column = null, $safe = false) {
$parent = parent::value($data, $column, $safe);
if ($parent != null) {
return $parent;
}
if ($data === null || (is_array($data) && empty($data))) {
return 'NULL';
}
if ($data === '' && $column !== 'integer' && $column !== 'float' && $column !== 'boolean') {
return "''";
}
if (empty($column)) {
$column = $this->introspectType($data);
}
switch ($column) {
case 'boolean':
return $this->boolean((bool)$data);
break;
case 'integer' :
case 'float' :
case null :
if ($data === '') {
return 'NULL';
}
if (is_float($data)) {
return str_replace(',', '.', strval($data));
}
if ((is_int($data) || is_float($data) || $data === '0') || (
is_numeric($data) && strpos($data, ',') === false &&
$data[0] != '0' && strpos($data, 'e') === false)) {
return $data;
}
default:
$data = "'" . mysqli_real_escape_string($this->connection, $data) . "'";
break;
}
return $data;
}
just a basic protection agains some variable types and stuff like this.. what about escaping mysql special characters?? about year ago i read how it’s possible to escape quote sign with help of percent sign in mysql query =) It was hype of blind injections back then, and that trick worked pretty much everywhere because everybody use mysqli_real_escape_string.
I must state a question here: How to escape variable in cakephp – REALLY SAFELY?
update: some folks in IRC states that REQUEST string must be escaped and not query it self. they probably right, then how can I escape % and _ chars in GET request string without using custom functions.. any sanitize method does it?
This doesn’t mean Cake is susceptible to SQL injection, as it in the underbelly it uses prepared statements, it does mean you are using a
LIKEsearch query in CakePHP and it’s letting the wildcard characters though.I don’t think this is ideal behaviour as I have found this out while developing too, I just have this line above finds that use
LIKEnow.You don’t need to take escaping in to your own hands, the framework handles that for you.