Additional measures to avoid SQL injection attacks are really necessary?

0

I was taking a look at some projects on the internet that involve security and I came across the following code.

All requests to the site were redirected to index.php by mod_rewrite , database connection was done with PDO, using prepared statements , everything was in the standard, a look at the index and I come across this code

    /** O projeto permite somente slugs com 250 caracteres **/
    if (isset($_GET['params']) && (strlen($_GET['params'])  > 250)) 
    {
        header('HTTP/1.0 403 Forbidden');
        die('<b>O endereço atual excede os limites de segurança</b>');
    }

I thought it was strange and I decided to download it to check it out.

I used sqlmap to run some tests and it did not work. I took that line that I posted above and did the tests again, it basically did not change anything, except in the Apache logs that I could see that the sqlmap strings were "passing", rather than being "barred" by the script and generating 403 errors.

  

To secure the application and save server resources, the code   above is a precautionary or unnecessary measure?

    
asked by anonymous 11.12.2015 / 22:03

1 answer

4

I do not really understand the question, I think you say that $_GET['params'] is passed to mysql, it does not seem to avoid sqlinjection , I believe there may be two reasons:

Slug URLs

Reading about the term "slug" it means that urls should be easier for human reading, or we are talking about urls rewritten ( mod_rewrite ), an example would be:

  • Page / article title: How to create friendly urls!
  • Title slug for url: how-to-create-urls-friendly

    In the code used this slug has a limit of 250 characters, because the idea is that if it is bigger it will probably be difficult to be "remembered" by the user. Not that the proposed solution will solve, but it is a way to try to avoid the problem.

Avoid unnecessary connections to mysql

So, if the parameters are invalid there is no need to connect to mysql, this would save the server a little, because there are apparently no urls with more than 250 characters, because every time you make a valid request it connects in the mysql server, I know it would be difficult to have multiple connections with invalid querys.

On the code you mentioned I noticed a strange thing because it seems to try to avoid strings larger than 250 ( strlen($_GET['params']) > 250 ), but as @rray said, strlen returns bytes and not characters, so maybe the code does not works well as expected.

    
12.12.2015 / 00:56