The Importance of Escaping Characters

Filed under: Internet, Programming, Security, Web Development — Wrote by Kay Park on Thursday, April 3rd, 2008 @ 1:35 am

SQL injection is a fun thing to do when you’re bored. Just try submitting a typical injection query into a login form, it’ll work some of the time. I was aware if this, but I am still surprised by the stupidity of many institutions and organization that leave their security compromised by simply not escaping meta characters.

Login Form of School Admin Panel

The screen-shot on the left is the login form of an administrator panel of a school. I’ve entered a typical SQL injection expression. Let’s see what happens. (Simple SQL injection is explained here)

Admin Panel

It actually let me login as admin! I mean, I know programmers can make mistakes and school don’t always hire good programmers, but they should at least try to keep their students’ private data safe. Their whole school data could be erased by a malicious kid who just happened to try SQL injection on their site. A student of that school could even edit his or her own grades, change their own attendance, and lower the grades of someone they don’t like.

I’ve tried this with many other sites and a large portion of them failed to escape characters and allowed me to trick the script into logging me in, usually as an administrator. If you run a site with a custom-built script, you should check for this very simple but critical vulnerability. Who knows, maybe your own school’s administrator panel has this vulnerability.

Although this can turn out to be very chaotic, it actually takes less than a line of code to remedy it. In PHP, the addslashes() function can be used to escape all characters. One function, that’s all it takes to prevent people from viewing your administrative data and mess around with your site. Check some admin panel logins and try this method, a surprising number of them will fall for this trick and you’ll be granted administrator power and be granted to do whatever you want with that site (of course, if you’re caught you’d be sentenced to cyber crime and thus be screwed).

Go around and check. Tell your friend about a security hole in his site (or possible pull a prank first). Tell your school, organization, and just see their reaction. Just be careful not to bug the school administrator too much or you might get in trouble.

A related and funny comic strip (for those of you who know SQL)

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Facebook
  • Google
  • Reddit
  • StumbleUpon
  • Technorati
  -

No comments yet. Be the first to comment this post.

RSS feed for comments on this post. TrackBack URL

Leave your comment

© FLIXEY.COM