Thread

On a custom member field someone submitted:

(?:^Member$)

I assume a hack but anyone know what exactly? what kind of protection does EE have against injection attacks?

I’m confused dzr_rtw, do you have evidence of a successful SQL Injection?  This looks to be someone fiddling with trying to break RegEx, but it would not work.  User input is escaped in queries.

-greg

Oh no, not at all. This just looked sketchy and I was wondering
A. what was being tried here and
B. in general, what kind of protection does EE have against injection attacks?

dzr_rtw,

A. what was being tried here and

As Greg mentions, somebody might be trying to break RegEx. It could have also been a spammer using something to auto-summit a registration.

B. in general, what kind of protection does EE have against injection attacks?

All first party code, validates input, escapes data before using it in queries, and cross-site scripting attack prevention among other things are all standard.

Does that help?

In 2.0, does the query module also escape data before using it is used in the select queries?  Can I use {segment_3} inside of a query without any worries?  Does {segment_3} means it has already removed any possible sql injection / php / xss attack and I can use it in a standard SQL SELECT statement (not a query module tag)?

Hi, Senor Dave. I believe so, should be no difference between 1.x and 2.x in that regard.

In 2.x, What about a nested query (select inside of a select) using the query module?  Does it prevent sql injection / php / xss attacks? 

Example:

{exp:query sql="SELECT DISTINCT title, id
FROM table1
WHERE id IN (SELECT id FROM table2 WHERE name = {segment_3})
ORDER BY title ASC”}

Thanks for the help

Señor Dave, you’ll need to have a core EE developer find the time in these busy days to give a completely satisfying answer, but:

- a quick look at the source code appears to show segments are safety-sanitized in the same way as all other available data, before they are made available for you to use them in a template. Remember that this is where you are using {segment_n}, for an exp:query template tag.

- because the segment information itself is safe, there should be no issue with how you use it in a template. Nesting or not in exp:query SQL is still just using the made-available EE data.

At the same time, I think you were wise to want to look into this, yes; and that’s why I took my own brief look at it here.

- EE does have a very enviable safety/security record, and all releases to this point show the kind of attention internally which gains this.

- can you break this security? Yes, of course, by mistakes in included PHP that you write yourself. However, again, you’d find that the places you would take information to use are already safetied, if you use normal care and knowledgeable attention in this kind of coding.

- And once again, exp:query is specifically not included PHP; should except in special cases be used with that turned off in the individual template preferences, which is default.

I think we can relax, and nice when a developer really can break free to verify.

Regards, Señor Dave, y hasta la vista,
Clive

Senor Dave,

We would recommend always quoting your variables as below

{exp:query sql="SELECT DISTINCT title, id
FROM table1
WHERE id IN (SELECT id FROM table2 WHERE name = '{segment_3}')
ORDER BY title ASC"}

You can find more info in our docs here
You should always make the extra effort to sanitize your data before it gets fed to the database

Note also that the query module can only do SELECT statements

And just because I haven’t seen it in a while I’m linking to this again

Thank you guys for all the help.
Dave

Hi Dave,

Good stuff. I’ll go ahead and close this now but please post again if you have further questions or problems.

Cheers

Greg

@Clive, thanks for your help.