Applescript - SQL Inject using CURL - PHP

Morning All,

Hope all is well?

I am having some trouble using CURL and PHP to update a SQL server.
It works, but at the same time doesnt work, Let me explain:

I wanted a way of passing all of my variables to the PHP script which then creates my SQL command and runs - This way I dont need to declare every variable and edit the script if/when I add new columns to my database. This works fine.

The bit I am having trouble with is the actual Applescript Quoted form of Url.
If I copy and paste the full web address it generates it works fine and updates my database. It doesnt seem to like it when Applescript runs the script - I think its something simple with the quoted form of

Please see Below Code:

APPLESCRIPT:


set urlPath to "My Web Address"
set sqlHeaders to "H1|H2|H3|H4|H5|H6"
set sqlValues to "V1|V2|V3|V4|V5|V6"

my updateSQL(sqlHeaders, sqlValues, urlPath)

on updateSQL(headers, values, urlPath)
	set idNumber to "5568"
	set preFix to "P"
	
	set myURL to urlPath & "update.php?id=" & idNumber & "&pref=" & preFix & "&header=" & headers & "&value=" & values
	try
		set checkit to (do shell script "curl -k " & quoted form of myURL)
	on error
		display dialog "Cannot connect to Database - Ensure you are connected via VPN if you're not on site"
		error number -128
	end try
end updateSQL

PHP SCRIPT:


<?php
//php errors//
  ini_set('display_errors', 1);
  ini_set('display_startup_errors', 1);
  error_reporting(E_ALL);

// Set login details to the DB
$username="USER";
$password="PASS";
$database="DB";
$sqlString="";

// Set variables from URL
$pref=$_REQUEST['pref'];
$id=$_REQUEST['id'];
$header=$_REQUEST['header'];
$value=$_REQUEST['value'];

// Setup Arrays for headers and values
$headerArray=explode("|",$header);
$valueArray=explode("|",$value);

// Generates the SQL string body
foreach($headerArray as $key => $content){
   $contentb = $valueArray[$key];
   $sqlString = $sqlString . $content." = '".$contentb. "', ";
}

	$sqlString = substr($sqlString, 0, -2);

//Set SQL
$sql = "UPDATE PF_Data SET " . $sqlString . " WHERE idNum = '$id' AND pref = '$pref'";

//Create connection
$conn = new mysqli('localhost',$username,$password,$database);

// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}

echo $sql ."<br />";

//Run the SQL
$result = $conn->query($sql);

?>

So in summary:
If I create my url address manually in the browser my PHP works
If I copy and paste the address given in the display dialog box from Applescript my PHP works.
If I let the script run the shell curl command it doesnt work.

Anyone have any idea why this might be?
Many Thanks in advance

Model: Macbook Pro
AppleScript: Xcode 8.2.1
Browser: Firefox 51.0
Operating System: Mac OS X (10.10)

What does it return? curl prints information to stdout as well so there could be carbage. The manual says that with the option ‘-s’ it won’t show a progress bar, have you tried that?

Did you include the URL scheme as well?

Im pretty sure I know whats causing it…
I need to encode the url to remove special characters such as spaces etc.
One of them is a date: ‘2017-06-14 12:35:00’
If I run the full script with the date formatted as ‘2017-06-14%2012:35:00’ it works fine.

SO all I need to do now is to research how to code it so that my script formats my string for to replace any special characters.

Thanks

:lol: That was my first idea I want to bring up. When sending arrays of data it’s much safer to use json and urlencode/base64 to send data in an URL. Both are supported by default in php.

But since you said it didn’t work with curl but with all other methods I assumed you tested with the same data :slight_smile:

Yeah im still learning PHP really… Im getting there though!

Heres the little bit of Applescript I used to get it working:
(Prob very crude and im sure theres a better way - As there always is!)


set specialChars to {"%", "&", " "}
set specialReplaceChars to {"%25", "%26", "%20"}
	
	repeat with i from 1 to (count of specialChars) in specialChars
		set values to my replaceText(values, item i of specialChars, item i of specialReplaceChars)
		display dialog values
	end repeat


to replaceText(someText, oldItem, newItem)
	
	set {tempTID, AppleScript's text item delimiters} to {AppleScript's text item delimiters, oldItem}
	
	try
		set {itemList, AppleScript's text item delimiters} to {text items of someText, newItem}
		set {someText, AppleScript's text item delimiters} to {itemList as text, tempTID}
	on error errorMessage number errorNumber -- oops
		set AppleScript's text item delimiters to tempTID
		error errorMessage number errorNumber -- pass it on
	end try
	
	return someText
end replaceText
	

It just loops through list one and replaces it with the item in the same position from list 2
And it works! …which is good lol :slight_smile:

Thanks

There is php on the command line of every mac you can use the URL encoder there too:

rawURLEncode("") --result:"%EF%A3%BF"
rawURLDecode("%EF%A3%BF") --result:""

on rawURLEncode(str)
   return do shell script "/bin/echo -n " & quoted form of str & " | php -r ' echo rawurlencode(fgets(STDIN)); '"
end rawURLEncode

on rawURLDecode(str)
   return do shell script "/bin/echo -n " & quoted form of str & " | php -r ' echo rawurldecode(fgets(STDIN)); '"
end rawURLDecode