PHP/MySQL Injection

Porte · 07-03-2005, 04:37 PM

Hello,

Please share which method you use, and why you think its better than another to prevent possible form attacks in php/mysql?

Personally, I'd use some filter to ban SQL commands found within the input. Or just check every string/number that comes out from GET/POST and contains any unexpected data.

share yours now,

--Thanks for sharing.

majinbuu1023 · 07-03-2005, 05:46 PM

put this on your site

Code:

if attack our php/mySQL we will sue you

Cheers

Porte · 07-03-2005, 07:04 PM

Crackers do not care what you put on your site lol that would turn them on.

Virtua · 07-03-2005, 10:01 PM

just run anti-flodder in your server, and anit-ddos ... + try to get the highest security in files of php and mysql database !! Dont make it like phpBB the easiest hacked forum :P

Thanks
Virtua

liam_d · 07-04-2005, 01:33 AM

Make sure you always addslashes doing htmlentities and things like that.

theparrot · 07-04-2005, 02:25 AM

Quote:

Originally Posted by liam_d

Make sure you always addslashes doing htmlentities and things like that.

Don't use addslashes, that is actually a bad function, no idea why they have it.

Use mysql_real_escape_string and things like that instead.

Also be sure to have register globals off, and check/converty them as needed from _GET and _POST variables etc.

liam_d · 07-04-2005, 02:27 AM

why is it a bad function, it stops errors when inserting and helps against sqli.

but then you are right use mysql_real_escape_string

theparrot · 07-04-2005, 02:37 AM

Quote:

Originally Posted by liam_d

why is it a bad function, it stops errors when inserting and helps against sqli.

but then you are right use mysql_real_escape_string

because it is never the right solution, you are escaping the string for use with programs and/or standards that have different rules, addslashes will fail in special cases with almost all of them, yet it is used a lot since it is there and seems the easy one to remember for all. It would be best if it was gone, people would use urlencode, mysql_escape, dbx_escape, phsql_escape etc as they should.

Porte · 07-04-2005, 05:10 AM

Guys remember, if the magic_quotes_gpc is turned On in the php.ini file of the server, it will automatically run addslashes() , so if we used addslashes while this function is on, It will escape the string twice...err It always good If you insist about using it to do:

if (!get_magic_quotes_gpc()) {
addslahes($var);
}

Just you need to check if magic quotes are on or off on the server. Basically, if its on , it will run addslashes...and I think its a good option.

I agree with you about mysql_real_escape_string though, it seems to be the better so far. But any more functions we could use before this even? just to increase security..

I have came up with something, and I need your opinions on it, its that i'll run checks on every input which i expect a string from and validate it against a banned array of words and characters , and if any found, it will just exit the program and return error.
Do you think it'll be effective/increasing security?

I understand that it will prevent some input like ' " , but assuming that your system doesn't require any single / double quotes.

Just sharing..
Thanks for the ideas so far

Porte · 07-04-2005, 04:09 PM

Quote:

Originally Posted by Virtua

just run anti-flodder in your server, and anit-ddos ... + try to get the highest security in files of php and mysql database !! Dont make it like phpBB the easiest hacked forum :P

Thanks
Virtua

I am only taking a shared host on the server ~ when you code then, you have to consider that settings in the php.ini file are either on or off.

And that's different to DDOS attacks to a server. I'm speaking about cracking into SQL and changing SQL querying then gaining permissions to delete/read/modify stuff from your database.

I do not think that phpBB is that easy for crackers ~ but every system is not 100% secure, we do increase security ~ but we do not prevent cracking.

Thanks for your input

i386 · 07-11-2005, 02:53 AM

If you want to set php.ini settings to something you want, just use ini_set().

Peter · 07-11-2005, 04:10 AM

not everything can be set using ini_set() and some things can be changed but are pointless changing, for example you can change register_globals in versions lower than 4.2.3 but there is no point as it has already implemented BEFORE the script executes.

liam_d · 07-11-2005, 04:11 AM

I have been reading up http://uk.php.net/manual/en/function...ape-string.php.

Do you do it like this?

PHP Code:

  mysql_query("insert into `blah` set `blah1` = " . mysql_real_escape_string($_POST['blah']) . "");

pratiknaik · 07-11-2005, 04:15 AM

Installing mod_security would provide the solution at higher level and you won't need to bother about SQL Injection/XSS attacks in your code.

http://modsecurity.org/

Thanks,
Pratik

Peter · 07-11-2005, 04:35 AM

Quote:

Originally Posted by liam_d

I have been reading up http://uk.php.net/manual/en/function...ape-string.php.

Do you do it like this?

PHP Code:

  mysql_query("insert into `blah` set `blah1` = " . mysql_real_escape_string($_POST['blah']) . "");

yes that is correct you sould still use ` around the variable like:-

PHP Code:

  mysql_query("insert into `blah` set `blah1` = `" . mysql_real_escape_string($_POST['blah']) . "`");

with your example if you do not have anything after the mysql_real_escape_string($_POST['blah']) there is no need to have . "" its just making extra work for yourself.

Porte · 07-11-2005, 12:08 PM

I agree about the ini configuration thing, not everything you can change. Some things are disabled / enabled on host and you need to write your script considering both cases. Anyway, I think I'm still sticking to the first place form validation like banning these characters from any input at first glance such ' " ; - ( ) and tags, any special characters that can lead to breaking a sql query..and I do not know how much this can help me, but logically if PHP won't process the form until its cleaned from these characters then why use extra security measure, just sharing and I would like some notes on this.

axilant · 07-12-2005, 02:49 PM

at top of your mysql enabled pages:

PHP Code:

  $SQLInjectionRegex = '/[\'")]* *[oO][rR] *.*(.)(.) *= *\\2(?:--)?\\1?/';

$sqlinjectattempt = preg_grep($SQLInjectionRegex, $_REQUEST);

if($sqlinjectattempt==true)

{

    die("SQL injection attempt!");

}

07-03-2005, 04:37 PM	#1 (permalink)
Porte Senior Member Join Date: May 2005 Location: Somewhere on earth! Posts: 3,528 21.30 NP$ (Donate)	PHP/MySQL Injection Hello, Please share which method you use, and why you think its better than another to prevent possible form attacks in php/mysql? Personally, I'd use some filter to ban SQL commands found within the input. Or just check every string/number that comes out from GET/POST and contains any unexpected data. share yours now, --Thanks for sharing.

07-03-2005, 05:46 PM	#2 (permalink)
majinbuu1023 Senior Member Join Date: Jan 2005 Location: New Zealand Posts: 3,759 85.67 NP$ (Donate)	put this on your site Code: if attack our php/mySQL we will sue you Cheers __________________ WowHumor.net - Funny World of Warcraft Pictures .

07-04-2005, 05:10 AM	#9 (permalink)
Porte Senior Member Join Date: May 2005 Location: Somewhere on earth! Posts: 3,528 21.30 NP$ (Donate)	Guys remember, if the magic_quotes_gpc is turned On in the php.ini file of the server, it will automatically run addslashes() , so if we used addslashes while this function is on, It will escape the string twice...err It always good If you insist about using it to do: if (!get_magic_quotes_gpc()) { addslahes($var); } Just you need to check if magic quotes are on or off on the server. Basically, if its on , it will run addslashes...and I think its a good option. I agree with you about mysql_real_escape_string though, it seems to be the better so far. But any more functions we could use before this even? just to increase security.. I have came up with something, and I need your opinions on it, its that i'll run checks on every input which i expect a string from and validate it against a banned array of words and characters , and if any found, it will just exit the program and return error. Do you think it'll be effective/increasing security? I understand that it will prevent some input like ' " , but assuming that your system doesn't require any single / double quotes. Just sharing.. Thanks for the ideas so far __________________ Custom WordPress theme design. Top notch free WordPress themes Custom Theme Design

07-11-2005, 04:11 AM	#13 (permalink)
liam_d The original NP Emo Kid Join Date: Jan 2005 Location: Plymouth, UK Posts: 1,648 0.00 NP$ (Donate)	I have been reading up http://uk.php.net/manual/en/function...ape-string.php. Do you do it like this? PHP Code: mysql_query("insert into `blah` set `blah1` = " . mysql_real_escape_string($_POST['blah']) . ""); Last edited by liam_d; 07-11-2005 at 04:15 AM.

07-11-2005, 04:15 AM	#14 (permalink)
pratiknaik Senior Member Join Date: Feb 2005 Location: Lost somewhere in a stack of queues.. Posts: 1,197 158.25 NP$ (Donate)	Installing mod_security would provide the solution at higher level and you won't need to bother about SQL Injection/XSS attacks in your code. http://modsecurity.org/ Thanks, Pratik __________________ Ruby on Rails Developer - http://m.onkey.org

07-03-2005, 07:04 PM	#3 (permalink)
Porte Senior Member Join Date: May 2005 Location: Somewhere on earth! Posts: 3,528 21.30 NP$ (Donate)	Crackers do not care what you put on your site lol that would turn them on.

07-03-2005, 10:01 PM	#4 (permalink)
Virtua Account Suspended Join Date: Jul 2005 Posts: 172 155.00 NP$ (Donate)	just run anti-flodder in your server, and anit-ddos ... + try to get the highest security in files of php and mysql database !! Dont make it like phpBB the easiest hacked forum :P Thanks Virtua

07-04-2005, 01:33 AM	#5 (permalink)
liam_d The original NP Emo Kid Join Date: Jan 2005 Location: Plymouth, UK Posts: 1,648 0.00 NP$ (Donate)	Make sure you always addslashes doing htmlentities and things like that.

07-04-2005, 02:27 AM	#7 (permalink)
liam_d The original NP Emo Kid Join Date: Jan 2005 Location: Plymouth, UK Posts: 1,648 0.00 NP$ (Donate)	why is it a bad function, it stops errors when inserting and helps against sqli. but then you are right use mysql_real_escape_string

07-11-2005, 02:53 AM	#11 (permalink)
i386 NamePros Member Join Date: Oct 2003 Posts: 126 251.90 NP$ (Donate)	If you want to set php.ini settings to something you want, just use ini_set().

07-11-2005, 04:10 AM	#12 (permalink)
Peter Senior Member Join Date: Nov 2003 Location: Scotland Posts: 4,900 0.60 NP$ (Donate)	not everything can be set using ini_set() and some things can be changed but are pointless changing, for example you can change register_globals in versions lower than 4.2.3 but there is no point as it has already implemented BEFORE the script executes.

07-11-2005, 12:08 PM	#16 (permalink)
Porte Senior Member Join Date: May 2005 Location: Somewhere on earth! Posts: 3,528 21.30 NP$ (Donate)	I agree about the ini configuration thing, not everything you can change. Some things are disabled / enabled on host and you need to write your script considering both cases. Anyway, I think I'm still sticking to the first place form validation like banning these characters from any input at first glance such ' " ; - ( ) and tags, any special characters that can lead to breaking a sql query..and I do not know how much this can help me, but logically if PHP won't process the form until its cleaned from these characters then why use extra security measure, just sharing and I would like some notes on this. __________________ Custom WordPress theme design. Top notch free WordPress themes Custom Theme Design

07-12-2005, 02:49 PM	#17 (permalink)
axilant Account Closed Join Date: May 2004 Location: /etc/passwd Posts: 2,194 0.00 NP$ (Donate)	at top of your mysql enabled pages: PHP Code: `$SQLInjectionRegex = '/[\'")]* [oO][rR] .(.)(.) = \\2(?:--)?\\1?/'; $sqlinjectattempt = preg_grep($SQLInjectionRegex, $_REQUEST); if($sqlinjectattempt==true) { die("SQL injection attempt!"); }` Last edited by axilant; 07-12-2005 at 02:54 PM.*

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Build your own php/mysql web database	xacto	Content For Sale	0	07-03-2005 07:47 AM
Help needed with personal project. PHP/MySql programming and layouts!	QBert	Website Development	3	11-09-2004 10:52 AM
$1,000-project in PHP/mySQL	Artashes	Web Development Wanted	1	09-29-2004 02:08 AM
Experienced php/mysql coder [FOR HIRE] Low prices!	matrixnet	For Sale / Advertising Board	0	04-12-2004 12:09 PM
[hiring] php/mysql website monitoring script	armstrong	Scripts For Sale	4	11-08-2003 10:10 AM