| | |||||
| ||||||||
| Programming PHP, Perl, Ruby on Rails, AJAX, HTML, XHTML, CSS, JavaScript, MySQL and any other coding topics. |
![]() |
| | LinkBack | Thread Tools |
| | THREAD STARTER #1 (permalink) |
| Senior Member Join Date: May 2005 Location: I'm right here
Posts: 3,526
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() | PHP/MySQL Injection Hello, Please share which method you use, and why you think its better than another to prevent possible form attacks in php/mysql? Personally, I'd use some filter to ban SQL commands found within the input. Or just check every string/number that comes out from GET/POST and contains any unexpected data. share yours now, --Thanks for sharing. |
| |
| | #2 (permalink) |
| Senior Member Join Date: Jan 2005 Location: New Zealand
Posts: 3,747
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() | put this on your site Code: if attack our php/mySQL we will sue you
__________________ WowHumor.net - Funny World of Warcraft Pictures |
| |
| | #5 (permalink) |
| The original NP Emo Kid Join Date: Jan 2005 Location: Plymouth, UK
Posts: 1,693
![]() ![]() ![]() ![]() ![]() ![]() | Make sure you always addslashes doing htmlentities and things like that.
__________________ Gaming On Linux - Because Linux is Fun! |
| |
| | #6 (permalink) | ||||
| NamePros Regular Join Date: Mar 2004
Posts: 633
![]() ![]() ![]() |
????: NamePros.com http://www.namepros.com/programming/103873-php-mysql-injection.html Don't use addslashes, that is actually a bad function, no idea why they have it. Use mysql_real_escape_string and things like that instead. Also be sure to have register globals off, and check/converty them as needed from _GET and _POST variables etc.
__________________ Need a break? Check out TheDamnBlog.com Free $6.95 directi accounts at Directi Name Bin Instant free $8.95 eNom accounts at Dncube.com | ||||
| |
| | #7 (permalink) |
| The original NP Emo Kid Join Date: Jan 2005 Location: Plymouth, UK
Posts: 1,693
![]() ![]() ![]() ![]() ![]() ![]() | why is it a bad function, it stops errors when inserting and helps against sqli. but then you are right use mysql_real_escape_string
__________________ Gaming On Linux - Because Linux is Fun! |
| |
| | #8 (permalink) | ||||
| NamePros Regular Join Date: Mar 2004
Posts: 633
![]() ![]() ![]() |
__________________ Need a break? Check out TheDamnBlog.com Free $6.95 directi accounts at Directi Name Bin Instant free $8.95 eNom accounts at Dncube.com | ||||
| |
| | THREAD STARTER #9 (permalink) |
| Senior Member Join Date: May 2005 Location: I'm right here
Posts: 3,526
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() | Guys remember, if the magic_quotes_gpc is turned On in the php.ini file of the server, it will automatically run addslashes() , so if we used addslashes while this function is on, It will escape the string twice...err It always good If you insist about using it to do: if (!get_magic_quotes_gpc()) { ????: NamePros.com http://www.namepros.com/showthread.php?t=103873 addslahes($var); } Just you need to check if magic quotes are on or off on the server. Basically, if its on , it will run addslashes...and I think its a good option. I agree with you about mysql_real_escape_string though, it seems to be the better so far. But any more functions we could use before this even? just to increase security.. I have came up with something, and I need your opinions on it, its that i'll run checks on every input which i expect a string from and validate it against a banned array of words and characters , and if any found, it will just exit the program and return error. Do you think it'll be effective/increasing security? I understand that it will prevent some input like ' " , but assuming that your system doesn't require any single / double quotes. Just sharing.. Thanks for the ideas so far
__________________ WP Theme Developer Your One-stop for Premium Magazine/CMS WordPress Themes Deluxe Themes |
| |
| | THREAD STARTER #10 (permalink) | ||||
| Senior Member Join Date: May 2005 Location: I'm right here
Posts: 3,526
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() |
And that's different to DDOS attacks to a server. I'm speaking about cracking into SQL and changing SQL querying then gaining permissions to delete/read/modify stuff from your database. I do not think that phpBB is that easy for crackers ~ but every system is not 100% secure, we do increase security ~ but we do not prevent cracking. ????: NamePros.com http://www.namepros.com/showthread.php?t=103873 Thanks for your input
__________________ WP Theme Developer Your One-stop for Premium Magazine/CMS WordPress Themes Deluxe Themes | ||||
| |
| | #12 (permalink) |
| NamePros Expert Join Date: Nov 2003 Location: Scotland
Posts: 5,069
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() | not everything can be set using ini_set() and some things can be changed but are pointless changing, for example you can change register_globals in versions lower than 4.2.3 but there is no point as it has already implemented BEFORE the script executes. |
| |
| | #13 (permalink) |
| The original NP Emo Kid Join Date: Jan 2005 Location: Plymouth, UK
Posts: 1,693
![]() ![]() ![]() ![]() ![]() ![]() | I have been reading up http://uk.php.net/manual/en/function...ape-string.php. Do you do it like this? PHP Code:
__________________ Gaming On Linux - Because Linux is Fun!
Last edited by liam_d; 07-11-2005 at 05:15 AM.
|
| |
| | #14 (permalink) |
| Senior Member Join Date: Feb 2005 Location: Lost somewhere in a stack of queues..
Posts: 1,200
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() | Installing mod_security would provide the solution at higher level and you won't need to bother about SQL Injection/XSS attacks in your code. http://modsecurity.org/ Thanks, Pratik
__________________ Ruby on Rails Developer - http://m.onkey.org |
| |
| | #15 (permalink) | ||||
| NamePros Expert Join Date: Nov 2003 Location: Scotland
Posts: 5,069
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() |
????: NamePros.com http://www.namepros.com/showthread.php?t=103873 PHP Code: | ||||
| |
| | THREAD STARTER #16 (permalink) |
| Senior Member Join Date: May 2005 Location: I'm right here
Posts: 3,526
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() | I agree about the ini configuration thing, not everything you can change. Some things are disabled / enabled on host and you need to write your script considering both cases. Anyway, I think I'm still sticking to the first place form validation like banning these characters from any input at first glance such ' " ; - ( ) and tags, any special characters that can lead to breaking a sql query..and I do not know how much this can help me, but logically if PHP won't process the form until its cleaned from these characters then why use extra security measure, just sharing and I would like some notes on this.
__________________ WP Theme Developer Your One-stop for Premium Magazine/CMS WordPress Themes Deluxe Themes |
| |
| | #17 (permalink) |
| Account Closed Join Date: May 2004 Location: /etc/passwd
Posts: 2,178
![]() ![]() ![]() ![]() ![]() ![]() | at top of your mysql enabled pages: PHP Code:
Last edited by axilant; 07-12-2005 at 03:54 PM.
|
| |
![]() |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Build your own php/mysql web database | xacto | Content For Sale | 0 | 07-03-2005 08:47 AM |
| Help needed with personal project. PHP/MySql programming and layouts! | QBert | Website Development | 3 | 11-09-2004 11:52 AM |
| $1,000-project in PHP/mySQL | Artashes | Web Development Wanted | 1 | 09-29-2004 03:08 AM |
| Experienced php/mysql coder [FOR HIRE] Low prices! | matrixnet | For Sale / Advertising Board | 0 | 04-12-2004 01:09 PM |
| [hiring] php/mysql website monitoring script | armstrong | Scripts For Sale | 4 | 11-08-2003 11:10 AM |