4

OK, it may sound ridiculous but this is what happened :

  • I've set up a site, fully working, on CodeIgniter
  • The site is obviously db-driven, with users tables (and many more) in it
  • Today, I've logged in, and in the place of "Name"... instead of the username, I'm seeing "Use PDO" (I've also checked the db table, from phpMyAdmin, and the specific field seems to have been altered :S).

And I'm thinking : "Somebody has hacked the site". Something like a bad (though educational) joke, maybe?

Am I right? (I feel a bit stupid asking that, but whatever...)

If so, what should I do in order to prevent such a thing happening in the future?

Hint : ALL my db access is done using CodeIgniter's db function, so I suppose everything should have been properly escaped. Any ideas?

AstroCB
  • 12,337
  • 20
  • 57
  • 73
Dr.Kameleon
  • 22,532
  • 20
  • 115
  • 223
  • 2
    maybe someone registers with username `Use PDO`. hehe – John Woo Oct 20 '12 at 07:36
  • 1
    @JohnWoo That *would* make sense if that *someone* wasn't myself, having already registered with the very same username I've been using everywhere (Dr.Kameleon)... – Dr.Kameleon Oct 20 '12 at 07:38
  • 1
    Well, if data which shouldn't be updated was updated nevertheless, how can it be anything else than hack? ) – raina77ow Oct 20 '12 at 07:41
  • @raina77ow Well, it's one of those cases when one prefers to be in denial... lol – Dr.Kameleon Oct 20 '12 at 07:42
  • 1
    And for 'how to prevent' part: you do understand that it cannot be answered right away without any additional information? ) BTW, just _using_ CodeIgniter does not prevent injections; it's the way of using that matters. For example, do you use query bindings - or escaping queries with `$db->escape`? – raina77ow Oct 20 '12 at 07:45
  • Anyway, as you probably won't be able to share all the data required to properly answer this, I'd recommend reading [this answer](http://stackoverflow.com/a/6323741/1229023) for a start. – raina77ow Oct 20 '12 at 07:54
  • @raina77ow Any ideas on how I could test and see what could be injected? I've got a login page ( http://r.drkameleon.com/log/in ) as well as registration page ( http://r.drkameleon.com/register ). I suppose one of them is to blame, huh? – Dr.Kameleon Oct 20 '12 at 08:13
  • 1
    let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/18331/discussion-between-raina77ow-and-dr-kameleon) – raina77ow Oct 20 '12 at 08:25
  • 1
    Codeigniter is the worst framework when it comes to escaping. Still uses the old functions. If you indeed wanna use it. Use it with PDO with prepared statement. PDO and CI can go hand in hand just isn't the default. – itachi Oct 20 '12 at 09:15

2 Answers2

1

The issue has been resolved, thanks to @raina77ow.

The Db access had been in a really bad shape, and the (quasi obvious) solution was to start using Prepared statements and Query bindings.

Reference : http://codeigniter.com/user_guide/database/queries.html

Dr.Kameleon
  • 22,532
  • 20
  • 115
  • 223
  • Here's the comment we give everyone, just for future reference: – Madara's Ghost Oct 20 '12 at 09:17
  • 2
    Please, don't use `mysql_*` functions to write new code. They are no longer maintained and the community has begun [deprecation process](http://goo.gl/KJveJ). See the *[red box](http://goo.gl/GPmFd)*? Instead you should learn about [prepared statements](http://goo.gl/vn8zQ) and use either [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli). If you can't decide which, [this article](http://goo.gl/3gqF9) will help you. If you pick PDO, [here is good tutorial](http://goo.gl/vFWnC). Also see [Why shouldn't I use `mysql` functions in PHP?](http://goo.gl/ycnmO) – Madara's Ghost Oct 20 '12 at 09:17
-1

Looks to me like someone atleast tried to inject code.

use PDO; $db = new PDO(); $db->save();

Or something like that, but ended up saving that data in the user table. I think he must have tried to inject code in registration page (if available). Can't say more without actually knowing changes in database.

Hope this helps.

Amit Kriplani
  • 682
  • 5
  • 12
  • There surely is both a registration AND a login page. The thing is, how could I test what (and how?) one could have injected in the db? (I really know close to nothing practical about SQL injection... :S) – Dr.Kameleon Oct 20 '12 at 08:12
  • ( The exact links for the 2 pages have been posted as a comment to the original post ) – Dr.Kameleon Oct 20 '12 at 08:14