Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    PHP SQL Injection

    General pfSense Questions
    2
    3
    715
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tux last edited by

      I noticed that the mysql driver for PHP is using an older version which is soon to be deprecated.  On my captive portal with radius I created a registration form with a simple query on a database server:

      $query = mysql_query("INSERT INTO reg_users (user_name, user_email, password, macaddress, phone_number, gender, reg_date) 
VALUES 
('$user_name', '$user_email','$password', '$macaddress', '$phone_number', '$gender', '$reg_date')");

      Which is pretty much prone to sql injection, I just finished pentesting the form but I was wondering why sqlmap was not able to penetrate to such query.

      I also noticed that the phpinfo for pfsense has credits on extensions such as mysqli which is not supported by the current version or is it already supported? I would love to know what's under the hood.

      1 Reply Last reply Reply Quote 0
      • H
        Harvy66 last edited by

        Another quest is why is there code that hits tables directly? Everything should be through stored procedures and the client should not have direct table access. Much harder to dump tables with a SQL injection if you can't read the tables. /endrant

        1 Reply Last reply Reply Quote 0
        • T
          tux last edited by

          It's a pretty much accurate comment.  Though the resource in the /documentation is using the traditional way. :)  https://doc.pfsense.org/index.php/Using_Captive_Portal_with_FreeRADIUS#CaptivePortal_Self-Registration:FreeRADIUS.2B_MySQL

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy