| |||||||
| Programming PHP, Perl, Ruby on Rails, AJAX, HTML, XHTML, CSS, JavaScript, MySQL and any other coding topics. |
![]() |
| | LinkBack | Thread Tools |
| | #1 (permalink) |
| Senior Member | PHP/MySQL Injection Hello, Please share which method you use, and why you think its better than another to prevent possible form attacks in php/mysql? Personally, I'd use some filter to ban SQL commands found within the input. Or just check every string/number that comes out from GET/POST and contains any unexpected data. share yours now, --Thanks for sharing. |
| |
| | #6 (permalink) | |
| NamePros Regular | Quote:
Don't use addslashes, that is actually a bad function, no idea why they have it. Use mysql_real_escape_string and things like that instead. Also be sure to have register globals off, and check/converty them as needed from _GET and _POST variables etc.
__________________ Need a break? Check out TheDamnBlog.com Free $6.95 directi accounts at Directi Name Bin Instant free $8.95 eNom accounts at Dncube.com | |
| |
| | #8 (permalink) | |
| NamePros Regular | Quote:
__________________ Need a break? Check out TheDamnBlog.com Free $6.95 directi accounts at Directi Name Bin Instant free $8.95 eNom accounts at Dncube.com | |
| |
| | #9 (permalink) |
| Senior Member | Guys remember, if the magic_quotes_gpc is turned On in the php.ini file of the server, it will automatically run addslashes() , so if we used addslashes while this function is on, It will escape the string twice...err It always good If you insist about using it to do: if (!get_magic_quotes_gpc()) { addslahes($var); } Just you need to check if magic quotes are on or off on the server. Basically, if its on , it will run addslashes...and I think its a good option. I agree with you about mysql_real_escape_string though, it seems to be the better so far. But any more functions we could use before this even? just to increase security.. I have came up with something, and I need your opinions on it, its that i'll run checks on every input which i expect a string from and validate it against a banned array of words and characters , and if any found, it will just exit the program and return error. Do you think it'll be effective/increasing security? I understand that it will prevent some input like ' " , but assuming that your system doesn't require any single / double quotes. Just sharing.. Thanks for the ideas so far
__________________ Custom WordPress theme design. Top notch free WordPress themes Custom Theme Design |
| |
| | #10 (permalink) | |
| Senior Member | Quote:
And that's different to DDOS attacks to a server. I'm speaking about cracking into SQL and changing SQL querying then gaining permissions to delete/read/modify stuff from your database. I do not think that phpBB is that easy for crackers ~ but every system is not 100% secure, we do increase security ~ but we do not prevent cracking. Thanks for your input
__________________ Custom WordPress theme design. Top notch free WordPress themes Custom Theme Design | |
| |
| | #12 (permalink) |
| Senior Member | not everything can be set using ini_set() and some things can be changed but are pointless changing, for example you can change register_globals in versions lower than 4.2.3 but there is no point as it has already implemented BEFORE the script executes. |
| |
| | #13 (permalink) |
| The original NP Emo Kid | I have been reading up http://uk.php.net/manual/en/function...ape-string.php. Do you do it like this? PHP Code: Last edited by liam_d; 07-11-2005 at 04:15 AM. |
| |
| | #14 (permalink) |
| Senior Member Join Date: Feb 2005 Location: Lost somewhere in a stack of queues..
Posts: 1,197
158.25 NP$ (Donate)
![]() ![]() ![]() ![]() ![]() | Installing mod_security would provide the solution at higher level and you won't need to bother about SQL Injection/XSS attacks in your code. http://modsecurity.org/ Thanks, Pratik
__________________ Ruby on Rails Developer - http://m.onkey.org |
| |
| | #15 (permalink) | |
| Senior Member | Quote:
PHP Code: | |
| |
| | #16 (permalink) |
| Senior Member | I agree about the ini configuration thing, not everything you can change. Some things are disabled / enabled on host and you need to write your script considering both cases. Anyway, I think I'm still sticking to the first place form validation like banning these characters from any input at first glance such ' " ; - ( ) and tags, any special characters that can lead to breaking a sql query..and I do not know how much this can help me, but logically if PHP won't process the form until its cleaned from these characters then why use extra security measure, just sharing and I would like some notes on this.
__________________ Custom WordPress theme design. Top notch free WordPress themes Custom Theme Design |
| |
| | #17 (permalink) |
| Account Closed | at top of your mysql enabled pages: PHP Code: Last edited by axilant; 07-12-2005 at 02:54 PM. |
| |
![]() |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Build your own php/mysql web database | xacto | Content For Sale | 0 | 07-03-2005 07:47 AM |
| Help needed with personal project. PHP/MySql programming and layouts! | QBert | Website Development | 3 | 11-09-2004 10:52 AM |
| $1,000-project in PHP/mySQL | Artashes | Web Development Wanted | 1 | 09-29-2004 02:08 AM |
| Experienced php/mysql coder [FOR HIRE] Low prices! | matrixnet | For Sale / Advertising Board | 0 | 04-12-2004 12:09 PM |
| [hiring] php/mysql website monitoring script | armstrong | Scripts For Sale | 4 | 11-08-2003 10:10 AM |