Is htmlspecialchars enough to prevent an SQL injection on a variable enclosed in single quotes?

Question 1

Although many sources quote the htmlspecialchars function with ENT_QUOTES to be not enough to prevent SQL injection, none of them provide a proof of the concept. I cannot think of any possibility myself.

Let us consider the following example:

$username = htmlspecialchars($_GET['name'], ENT_QUOTES, 'UTF-8');
$sql = "SELECT * from user WHERE name='$username'";
mysql_query($sql,...);

Can any one provide an example, OTHER than ones covered by the case when SQL injection gets around mysql_real_escape_string()?

Question 2

The character that htmlspecialchars fails to encode the critical character (NUL byte), b (backspace), as well as the character.

In order to exploit this, you need a statement with multiple injection points. With this you can escape the closing delimiter of one string literal and thus expand it up to the next starting delimiter of the next string literal. Three string literals each with an injection point can then be transformed into two string literals.

For example:

SELECT * from user WHERE (name='$login' OR email='$login') AND password='$password'

Now with the following values:

login:    ) OR 1=1 /*
password: */--

The resulting statement looks like this:

SELECT * from user WHERE (name=') OR 1=1 /*' OR email=') OR 1=1 /*') AND password='*/--'

Which is equivalent to:

SELECT * from user WHERE (name=') OR 1=1 /*' OR email=') OR 1=1

Question 3

SQL injection attacks happen when user input is improperly encoded. Typically, the user input is some data the user sends with her query, i.e. values in the $_GET, $_POST, $_COOKIE, $_REQUEST, or $_SERVER arrays. However, user input can also come from a variety of other sources, like sockets, remote websites, files, etc.. Therefore, you should really treat everything but constants (like 'foobar') as user input.

In the code you posted, mysql_real_escape_string is used to encode(=escape) user inputs. The code is therefore correct, i.e. does not allow any SQL injection attacks.

Note that it's very easy to forget the call to mysql_real_escape_string - and one time is enough for a skilled attacker! Therefore, you may want to use the modern PDO with prepared statements instead of adodb.

Question 4

SQL Injection and XSS are the most common mistakes that programmers make. The good news is that they are easiest to automatically test for, as long as you have the right software. When I am on a pentest I use Sitewatch or Wapiti for finding web application vulnerabilities. Acunetix is over priced.

But, you can't just fire off some automated tool and expect everything to work. There are a number of precautions you must take with ANY vulnerability scanner you choose.

1) make sure display_errors=On in your php.ini Sql Injection tests rely on being able to see mysql error messages in the response pages! No error, no vulnerability detected!

2) Scan the authenticated areas of your application. Create a user account specifically for testing. Acuentix has an easy wizard where you can create a login sequence. If you are using wapiti you can give a cookie to wapiti or give wapiti a post request to fire off but this is kind of tricky.

AFTER you have tested your application then test your server for misconfiguration. To test your server then you need to run OpenVAS which is the new more free version of Nessus which is now a commercial product. Then you should follow this up with PhpSecInfo. These tests will notify you of problems with your configuration or if you are running old vulnerable software.

Nothing will ever be 100% secure, EVER. No matter what you do there are vulnerabilities that will slip though the cracks. There are vulnerabilities in all development platforms that lead a compromises that no tool can test for. There are also bugs in the testing tools you use. There are false posties and false negatives and some tests that just don't work, a good example i have never seen an automated CSRF tool that actually finds legit vulnerabilities. Acunetix's CSRF test is a complete waste of time.

There is also the OWASP testing guide which goes into greater detail. This is not to be confused with the OWASP Top 10 which is also an excellent resource. The PHP Security Guide is also a great resource for php programmers.

Question 5

http://docs.jboss.org/hibernate/orm/3.3/reference/en/html/queryhql.html#queryhql-subqueries

Note that HQL subqueries can occur only in the select or where clauses.

You can rewrite the query so that the subquery is part of the where clause instead. Referencing the l.idItem in the subquery

Question 6

After a thorough research, what I have come to know is that there are more than one limitations/hurdles to make it possible. These limitations/hurdles are at three different levels.

First limitation is at API level, because there is no high-level API to play sound files in the conversation audio during a call as mentioned in Android official documentation.

Second limitation is at Radio Interface Layer (RIL). RIL passes on complete control of the call to Radio Daemon (rild) of the Linux library which then further passes the control to the vendor RIL. That means we cannot manipulate voice call in android source code.

Even if we are able to remove these two limitations, we may still not be able to play audio file to an ongoing voice call. Because there is a third limitation. Every vendor has their own library of RIL that communicates with Radio Daemon (rild). This requires that vendor RIL to be open source which is not actually. Hardware vendors do not usually make their device drivers code available.

Detail discussion on this topic is present at this link.

Is htmlspecialchars enough to prevent an SQL injection on a variable enclosed in single quotes?

Answers

php,sql,security,sql-injection