0

Somebody emailed me this morning informing me that they gained access to my clients MySQL database and offered to fix the issue in exchange for money. I've been doing some testing with a real estate listing site. The way the site is set-up it currently has property.php?estateID=103 and doing property.php?estateID=103 union select 1,useraccounts(),3,4,5,6,7 pulls an error back FUNCTION database_table.useraccounts does not exist and I am assuming that is what is helping this hacker gain access to my database. How can I prevent this? Will simple sanitize help? The database is MySQL 5.5.

Cody
  • 1
  • Possible duplicate of [SQL Injection Prevention](https://security.stackexchange.com/questions/1257/sql-injection-prevention). See also [SQL injection — why isn't escape quotes safe anymore?](https://security.stackexchange.com/questions/3611/sql-injection-why-isnt-escape-quotes-safe-anymore). The simple answer is yes, you are vulnerable, and you need to use prepared statements asap. – tim May 22 '17 at 14:39

1 Answers1

1

The vulnerability you describe is called SQL injection. It can be prevented by using parameterized queries. In this specific case it is also a good idea to do input validation, to make sure estateID is a number. This site explains how to prevent SQL injection for several programming languages.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102