[*] Improve database query security with prepared statements

[YichaoXu]

SQL Injection Vulnerability Fix

Vulnerability Description

Multiple SQL injection vulnerabilities have been identified during code review, primarily in scenarios where user input is directly concatenated into SQL statements. These vulnerabilities could lead to unauthorized database operations, including but not limited to:

• Unauthorized data deletion
• Data leakage
• Database structure corruption
• Privilege escalation
• Denial of Service (DoS)

Vulnerability Rating

• Severity: High
• CVSS 3.0 Score: 8.8 (High)
• Impact Scope: All user data in the system

Affected Functions

1. delete_bd_user()
2. switch_bd_user()

Detailed Vulnerability Analysis

1. SQL Injection in delete_bd_user()

Current code:

$sql = "DELETE FROM bd_user WHERE `bd_user`.`id` = $id";

Vulnerability Analysis:

• Direct concatenation of user input ($id) into SQL statement
• No input validation or filtering
• Lack of parameterized queries

Attack Examples:

id = "1 OR 1=1"  // Deletes all user records
id = "1; DROP TABLE bd_user; --"  // Drops the entire user table
id = "1 UNION SELECT username,password FROM admin"  // Leaks admin credentials

Potential Impact:

1. Complete deletion of database user records
2. Database structure corruption
3. Unauthorized access to sensitive information

2. SQL Injection in switch_bd_user()

Current code:

$sql = "UPDATE `bd_user` SET `switch` = '$switch' WHERE `bd_user`.`id` = $id";

Vulnerability Analysis:

• Both $switch and $id variables are directly concatenated
• String variables are not properly escaped
• Integer variables lack type validation

Attack Examples:

switch = "1'; UPDATE admin SET password='hacked' WHERE 1=1; --"  // Modifies admin password
id = "1 OR id IN (SELECT id FROM bd_user WHERE 1=1)"  // Mass status modification
switch = "0'; DROP TABLE bd_user; --"  // Drops user table

Potential Impact:

1. Unauthorized modification of user states
2. System configuration tampering
3. Data integrity compromise

Exploitation Conditions

1. Submission of maliciously crafted parameters via POST requests
2. Exploitable through form submissions or API calls
3. No special authentication required to trigger
4. Can be exploited using common HTTP client tools (e.g., Postman)

Impact Scope

1. User Data Management

   • Potential unauthorized deletion of user records
   • Malicious modification of user states

2. System Security

   • Possible database structure corruption
   • Potential sensitive information disclosure
   • System configuration tampering

3. Service Availability

   • Potential database deletion
   • Possible denial of service

Risk Assessment

1. Technical Impact

   • Loss of data integrity
   • System configuration compromise
   • Service unavailability

2. Business Impact

   • User information exposure
   • Service interruption
   • Reputation damage
   • Potential financial loss

Detection Methods

1. Code Review

   • Inspection of SQL statement construction
   • Identification of unfiltered user input
   • Detection of direct string concatenation in SQL queries

2. Vulnerability Scanning

   • Automated SQL injection testing
   • Penetration testing verification
   • Security baseline checks

Reference Documentation

1. OWASP SQL Injection Prevention Cheat Sheet
2. CWE-89: SQL Injection
3. SANS SQL Injection Guide

[YichaoXu]

SQL注入漏洞修复

漏洞描述

在代码审查中发现了多处SQL注入漏洞，主要存在于用户输入直接拼接到SQL语句的场景中。这些漏洞可能导致未经授权的数据库操作，包括但不限于:

• 未经授权的数据删除
• 数据泄露
• 数据库结构破坏
• 权限提升
• 服务拒绝攻击(DoS)

漏洞等级

• 严重程度: 高
• CVSS 3.0 评分: 8.8 (高危)
• 影响范围: 所有使用该系统的用户数据

受影响的函数

1. delete_bd_user()
2. switch_bd_user()

漏洞详细分析

1. delete_bd_user() 中的SQL注入

当前代码:

$sql = "DELETE FROM bd_user WHERE `bd_user`.`id` = $id";

漏洞分析：

• 直接将用户输入的$id变量拼接到SQL语句中
• 没有对输入进行任何类型验证和过滤
• 缺乏参数化查询机制

攻击示例:

id = "1 OR 1=1"  // 删除所有用户记录
id = "1; DROP TABLE bd_user; --"  // 删除整个用户表
id = "1 UNION SELECT username,password FROM admin"  // 泄露管理员信息

潜在危害：

1. 删除数据库中所有用户数据
2. 破坏数据库结构
3. 获取未授权的敏感信息

2. switch_bd_user() 中的SQL注入

当前代码:

$sql = "UPDATE `bd_user` SET `switch` = '$switch' WHERE `bd_user`.`id` = $id";

漏洞分析：

• $switch 和 $id 变量都直接拼接到SQL语句中
• 字符串类型的变量未经过转义处理
• 整数类型的变量未经过类型验证

攻击示例:

switch = "1'; UPDATE admin SET password='hacked' WHERE 1=1; --"  // 修改管理员密码
id = "1 OR id IN (SELECT id FROM bd_user WHERE 1=1)"  // 批量修改状态
switch = "0'; DROP TABLE bd_user; --"  // 删除用户表

潜在危害：

1. 未经授权修改用户状态
2. 篡改系统配置
3. 破坏数据完整性

漏洞触发条件

1. 通过POST请求提交恶意构造的参数
2. 利用表单提交或API调用方式
3. 不需要特殊的身份认证即可触发
4. 可以通过常见的HTTP客户端工具（如Postman）进行攻击

影响范围

1. 用户数据管理

   • 用户记录可能被非法删除
   • 用户状态可能被恶意修改

2. 系统安全

   • 数据库结构可能被破坏
   • 敏感信息可能被泄露
   • 系统配置可能被篡改

3. 服务可用性

   • 数据库可能被删除
   • 服务可能被拒绝访问

风险评估

1. 技术影响

   • 数据完整性损失
   • 系统配置被篡改
   • 服务不可用

2. 业务影响

   • 用户信息泄露
   • 服务中断
   • 信誉损失
   • 可能造成经济损失

检测方法

1. 代码审计

   • 检查SQL语句构造方式
   • 识别未经过滤的用户输入
   • 查找直接字符串拼接的SQL语句

2. 漏洞扫描

   • 使用自动化工具进行SQL注入测试
   • 进行渗透测试验证
   • 进行安全基线检查

参考文档

1. OWASP SQL Injection Prevention Cheat Sheet
2. CWE-89: SQL Injection
3. SANS SQL Injection Guide