custom db tables access and sql injection / prepared statements - My Forums

Re: custom db tables access and sql injection / prepared statements

mrhaw — Nov 07, 2013, 09:02 PM

» Force your client to login using SSL - HTTPS
/manager/index.php:

» Restrict the manager to IP
http://forums.modx.com/thread/45029/restrict-manager-by-ip-addresses-without-breaking-captcha#dis-post-463882

» In manager settings make sure Validate HTTP_REFERER headers? is YES

» UPGRADE YOUR MODX!

Since 1.0.8

Security:
--------------------------------------------
* [#9933] insideManager - security fix
* [#10180] ForgotManagerPassword - Improvement reset url
* [#9704] LFI in mutate_settings.ajax.php
* [#9802] Security feature - Check falsification of system files
* [#3796] MODx security issues
* [#8338] LFI in browser.php
* [#8339] LFI in install
* [#9621] SQL-injection in logEvent
* [#471] Show custom error page if mysql is down
* [#9624] Add .htaccess into assets/cache/

https://raw.github.com/modxcms/evolution/v1.0.12/install/changelog.txt

» + KEEP BACKUP OF FILES AND DATABASE!

//This Ditto Tagging XSS fix never made it's way (if you are using tagging)
http://forums.modx.com/thread/42791/removing-tags-variable-from-reflect-url#dis-post-247387

Re: custom db tables access and sql injection / prepared statements

beloved.gr — Nov 07, 2013, 05:13 PM

mrhaw thanks for the reply,
very useful information and a place to start from,
any advise on how to prevent session hijacking?

Re: custom db tables access and sql injection / prepared statements

mrhaw — Nov 07, 2013, 04:47 PM

Here is how I deal with GET/POST:

$var = mysql_real_escape_string(strip_tags($_GET['var']));

The API:

$var = $modx->db->escape(strip_tags($_GET['var']));

http://rtfm.modx.com/evolution/1.0/developers-guide/api-reference/dbapi/escape

If you are running a global script (e.g. PDF) and want it to respect web user permissions
see this: http://forums.modx.com/thread/24611/pdf-export?page=3#dis-post-125964
http://sottwell.pogwatch.com/modx-security.html

In REVO the code is more protected behind an xPDO layer and there is great API Documentation.
In EVO The old wiki is still a gold mine:
http://wiki.modxcms.com/index.php/DB_query_and_Placeholders
http://wiki.modxcms.com/index.php/API:DBAPI
http://wiki.modxcms.com/index.php/Creating_Snippets

BUT even if you make use of API calls that doesn't guarantee security!
Running eForm on your website? Consider using this:

 $value )
      {
        $stripped = strip_tags( $value );
        // If there was embedded PHP/HTML/XML etc. then not successful
        // However, proceed to clean all the fields anyway.
        if ( $stripped != $value )
        {
          $success = FALSE;
        }
        switch ( $name )
        {
        case 'email':
        case 'vericode':
          // Just strip tags. No need to escape.
          $fields[ $name ] = $stripped;
          break;
        default:          
          $fields[ $name ] = htmlspecialchars( $stripped, ENT_QUOTES, $modx->config['modx_charset'] );
        }
      }
      return $success;
    }
    
}
?>

Name snippet eformPreventXSS
And call your eForm:

           [!eformPreventXSS!]
           [!eForm? &eFormOnBeforeMailSent=`eformPreventXSS` ...

I also highly recommend adding this to the .htaccess file in the assets folder:


   Order allow,deny
   Deny from all

This will protect you when uploading extras.

custom db tables access and sql injection / prepared statements

beloved.gr — Nov 07, 2013, 10:58 AM

Dear all,

I'm building a website in MODX EVO 1.0.8 that needs to create/update some custom db tables, based on user input and I wish to be extra cautious to avoid any security issues. I'm not an expert in security measures and after some research I got a bit concerned about how I should proceed.

- Example code follows:

1. Retrieving user input
$parameters = $_GET['p'];
$parametersArray = explode("!",$parameters);

2. Inserting new rows I use something like the following:

$documentArray['name']=$parametersArray[0];
$documentArray['status']=$parametersArray[1];
$queryCreateRecord = $modx->db->insert( $documentArray,'modx_record' );

3. Updating an existing row I use something like the following:

$documentArray['id']= $modx->getLoginUserID();
$documentArray['status']= $parametersArray[1];

$table = $modx->getFullTableName( 'record' );
$queryUpdateRecord= $modx->db->update( 'status= "' .$documentArray['status']. '"', $table, 'id = "' .$documentArray['id']. '"' );

4. Selecting the rows from the db I use something like the following:

$table = $modx->getFullTableName("record");
$db_query = $modx->db->select("*", $table, "status='".$documentArray['status']."'");
if ($modx->db->getRecordCount($db_query) > 0) {
while ($rowC = $modx->db->getRow($db_queryC)) {
$id=$row['id'];
}
}

- Questions follow:

Is all the above safe or

1. should I use some user input sanitization function?
2. should I use prepared statements to avoid sql injection?
3. is there anything that I'm missing and poses a security threat in the way I handle the input and the db?
4. is there a chance that modx does the above security tasks in the background so I shouldn't worry?

Thank you all in advance, any contribution is deeply appreciated.