SQL / PHP Injection hacks to change user start dates

Post Reply New Topic

I wonder if any of you people are familiar with SQL / PHP injection hacks?

I have noticed (and i am not going to make it personal) but several of the users
who recently joined over the last month or so, started off with a joined date stating a
recent date, however, a few of them appear to have changed their starting dates
to make it look like they have been members for 10 years plus.

This I believe is done using SQL / PHP injection.

I don't understand why anyone would do this on such a benign website.

I have seen people do this for other reasons, such as on You tube, when people
want to take credit for other people's original creative and intellectual copy write works

especially when it comes to music, as music can make money as well as give people kudos.

SQL / PHP injection and other similar hacks can be prevented via less vulnerable back end software design, as follows:

1) Avoid using eval or any similar function that can turn user input directly into arbitrary code that is then executed by the system.

2) Do not allow front end code (e.g. JavaScript, which is executed directly by a web browser, and hence can be modified directly by a user with appropriate tools) to write directly to the database. Only backend processing code (e.g. PHP) should write to the database. This has the disadvantage of being more expensive in terms of system resources, i.e. the server has to do more work, but it is crucial in terms of security.

3) Even backend processing code (e.g. PHP) should NOT take user input and write it DIRECTLY to the database. Instead, user input should first be validated (on the back end, NOT just on the front end), and then written to a software-defined data object in memory, whose contents THEN should be written to specific tables (and specific fields thereof) in the database. These extra steps too have the disadvantage of being more expensive in terms of system resources, but they ensure that the ONLY data that gets written to the database has the expected format, doesn't contain any funny business, and doesn't get written to any database fields that shouldn't be modified (such as the user's join date).

4) Don't use PHP. Use a more robust language on the back end, such as Java (servlets/JSP). [Note: I am NOT suggesting here that Java be used on the front end, e.g. applets.]

For the past several years I've been working on a custom electronic medical records system, where security is crucial for legal reasons (HIPAA).

One way to check for this is to see how many posts they have. IIRC, viewing their profile allows you to see all their posts. So if you see that they've been here for over a decade but they only have posts dating back a few weeks, that could be a sign that they have somehow manipulated the database. Why anyone would do this, I have no idea. The only real 'kudos' you can get from being on here for that long is based on your reputation here, which in turn is based on the quality of your posts. It's also possible that the there is a bug in the database software that causes the start dates to be changed somehow, and that these users had nothing directly to do with it.

As always, madbutnotmad, please feel free to contact moderators in private with details of your observations.

It is probably safest not to make these accusations public until we can confirm them.