Question

Question 14 (7 marks) Marilyn Monroe, a recent graduate from another university, has not had the benefit of education in secure coding techniques. In her first job, coding an e-commerce site, she writes the following PHP code: $query"SELECT FROM customers WHERE acctno -'". POST['acctno']. "'"; $result - $conn->query ($query); a. (1 mark) What has she done wrong? b. (4 marks) Describe two ways of fixing this problem. (2 marks) Give an example of the type of account number value an attacker could use to test whether the system is exploitable. *c.

Answer 1

1. She is directly using user input on the query without sanitizing it. Attacker may not always send the correct value, he may send some value which can be harmful to the system.

----------------------

2. TO fix the issue, one can either manually sanitize the user input, like, do not allow special characters like quotes etc and sanitize user input to whatever can be valid. Other way would be: To use prepared statement, PDO or MysqlI, which are safe to be executed.
----------------------
3.

If the attacker gives a string like below:
$_POST['acctno'] = "a' or '1'='1"

The wholoe query would become:
SELECT * FROM Customers where acctno = 'a' or '1'='1'

note that even if the first clause is not matching, second clause will match for all the rows.. So this query would return all the user accounts, which is a data leak.

----------------------

Thanks!