Is it possible to manipulate SESSION variables to perform SQL Injection?


I am not a cyber attack specialist and I have a small question about the safety of my projects. Basically one of the ways I'm warned of SQL injections is by creating a " treatString () " function, for example, and all data coming in externally I filter through Function. Beauty! It works ...!

I know that it's possible to manipulate a browser's COOKIES in a malicious way so that when the application uses $ _COOKIES , the injection happens. So also filter them through the above function.

The question is ... are the variables of SESSION also possible to manipulate maliciously? Should I be safe with them too? Is it possible to manipulate them externally, just like the COOKIES ?

If yes, I'm screwed. For all the projects that I created, I did not foresee the injection via SESSION and the first ones I did and did not use PDO to connect to the bank. And worse, I remember working directly with the session variables in the SQL statements.

Any guess?

Thank you for your support. Hugs !!

asked by anonymous 24.07.2018 / 17:28

2 answers


As friends commented above, it is important to use tried-and-tested methods for data filtering, such as mysql_real_escape_string .

However, as your question is related to SQL Injection via session variables, the answer is yes. Since you store the user's session in a session variable with the name id ( $_SESSION['id'] ), for example, a way to validate if the user has a valid session is to compare the browser session ( $_SESSION['id'] ) of the user with the one stored in the database.

To better understand my response, I recommend checking the

17.11.2018 / 15:06

If the session stores some value that is reported by the user: yes. A common case would be:

  • The user enters the name of "or"1"="1
  • You make a INSERT tabela( name ) VALUES ("\"or"1"="1")
    In this case no "SQL Injection" is performed, you simply have a name as any string.

  • Then the user accesses a page, where you retrieve nome from the database and create a session with it, which would result in $_SESSION['nome'] = "or"1"="1 .

  • Then you resolve to SELECT * WHERE nome = "$_SESSION['nome']" , in this case it will be exactly: SELECT * WHERE nome = ""or"1"="1" , thus getting all data instead of specifying the name.

  • 17.11.2018 / 18:40