Only one or two trusted people have the password. htpasswd is outside of p开发者_StackOverflow社区ublic_html directory. The script in the protected folder contains un-sanitized inputs. Is SQL Injection possible, without the password?
Is SQL Injection possible, without the password?
Assuming your .htaccess and .htpasswd are actually yielding a screen for your user name and password, it is secure. If the combination of the user name and password isn't valid, Apache will return a HTTP 403: Forbidden header, which means the request has never been passed to PHP. That means your leaky scripts can't be executed without a valid user name and password.
The script in the protected folder contains un-sanitized inputs.
I think you should consider sanitising the inputs anyway, secured pages or not.
Regardless of the setup, you always, always, always handle data as if it's going to jump out of the monitor at any moment and SQL inject right into your heart. You don't ask whether it's possible under circumstances x, y and z, you always assume it is by default.
It doesn't even need to be malicious, any user input that contains a quote can mess up your queries if not handled properly, so you need to escape input regardless.
Just sanitize those inputs. I'm serious. A system is as strong as its weakest link; even if you trust those people you give access, there's always other attacks that people could utilize to get around this. A few possibilities:
- social engineering (the possibilities are endless here)
- network sniffing (especially when the site is served without SSL)
- vulnerabilities in the trusted user's browser or OS
- weak passwords
- compromised web server (if someone manages to delete the .htaccess file, all is lost)
- phishing
- DNS spoofing
SQL injection not possible on the htpasswd but there are other exploits. You have covered one with placing the file out of the web root but you should also prevent apache from serving these pages by adding this to your htaccess:
<Files ~ "^\.ht"> Order allow,deny Deny from all </Files>
SQL Injection is not possible because attacker without password won't be able to get through Apache at first place.
However, HTTP Basic Auth is subject to man-in-the-middle attack since the password can be easily intercepted (You might want to use HTTPS if it's a public website).
I don't think there is a way to circumvent the password protected directory if it's set up properly.
With Basic Authentication the password is commited in clear text, so if you don't use https and your people are using a proxy someone could get it there. User could also save the password in their browsers.
The SQL injection flow would be still here simply protected by the username/password wall.
You have to keep in mind that if you don't use SSL, the password/username would pass as clear text on the wire. Which means if any one can sniff that traffic they would get the username/password.
Also this don't protect you from a legitimate users trying some SQL injection on your application. You have to keep in mind that most attacks come from the inside.
I would be you, I would put the password as a quick fix but fix the SQL injection/input sanitation problem when you get some chances.
.htaccess won't save you from an injection.
Imagine a situation, when one of your trusted people gets a virus on his PC. Virus steels his password and gives it to the hacker. Hacker logs in and drops your database via SQL injection.
Even if this does not happen, always escape your queries, so users could use charecters like "'" in their queries safely.
SELECT `name` FROM `table` WHERE `name` = 'pub 'cosa blanca''; --SQL error
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论