PHP/MySQL Injection

Porte · 07-03-2005, 05:37 PM

Hello,

Please share which method you use, and why you think its better than another to prevent possible form attacks in php/mysql?

Personally, I'd use some filter to ban SQL commands found within the input. Or just check every string/number that comes out from GET/POST and contains any unexpected data.

share yours now,

--Thanks for sharing.

majinbuu1023 · 07-03-2005, 06:46 PM

put this on your site

Code:

if attack our php/mySQL we will sue you

Cheers

Porte · 07-03-2005, 08:04 PM

Crackers do not care what you put on your site lol that would turn them on.

Virtua · 07-03-2005, 11:01 PM

just run anti-flodder in your server, and anit-ddos ... + try to get the highest security in files of php and mysql database !! Dont make it like phpBB the easiest hacked forum

Thanks
Virtua

liam_d · 07-04-2005, 02:33 AM

Make sure you always addslashes doing htmlentities and things like that.

theparrot · 07-04-2005, 03:25 AM

Originally Posted by liam_d

Make sure you always addslashes doing htmlentities and things like that.

????: NamePros.com http://www.namepros.com/programming/103873-php-mysql-injection.html
Don't use addslashes, that is actually a bad function, no idea why they have it.

Use mysql_real_escape_string and things like that instead.

Also be sure to have register globals off, and check/converty them as needed from _GET and _POST variables etc.

liam_d · 07-04-2005, 03:27 AM

why is it a bad function, it stops errors when inserting and helps against sqli.

but then you are right use mysql_real_escape_string

theparrot · 07-04-2005, 03:37 AM

Originally Posted by liam_d

why is it a bad function, it stops errors when inserting and helps against sqli.
????: NamePros.com http://www.namepros.com/showthread.php?t=103873

but then you are right use mysql_real_escape_string

because it is never the right solution, you are escaping the string for use with programs and/or standards that have different rules, addslashes will fail in special cases with almost all of them, yet it is used a lot since it is there and seems the easy one to remember for all. It would be best if it was gone, people would use urlencode, mysql_escape, dbx_escape, phsql_escape etc as they should.

Porte · 07-04-2005, 06:10 AM

Guys remember, if the magic_quotes_gpc is turned On in the php.ini file of the server, it will automatically run addslashes() , so if we used addslashes while this function is on, It will escape the string twice...err It always good If you insist about using it to do:

if (!get_magic_quotes_gpc()) {
????: NamePros.com http://www.namepros.com/showthread.php?t=103873
addslahes($var);
}

Just you need to check if magic quotes are on or off on the server. Basically, if its on , it will run addslashes...and I think its a good option.

I agree with you about mysql_real_escape_string though, it seems to be the better so far. But any more functions we could use before this even? just to increase security..

I have came up with something, and I need your opinions on it, its that i'll run checks on every input which i expect a string from and validate it against a banned array of words and characters , and if any found, it will just exit the program and return error.
Do you think it'll be effective/increasing security?

I understand that it will prevent some input like ' " , but assuming that your system doesn't require any single / double quotes.

Just sharing..
Thanks for the ideas so far

Porte · 07-04-2005, 05:09 PM

Originally Posted by Virtua

just run anti-flodder in your server, and anit-ddos ... + try to get the highest security in files of php and mysql database !! Dont make it like phpBB the easiest hacked forum

Thanks
Virtua

I am only taking a shared host on the server ~ when you code then, you have to consider that settings in the php.ini file are either on or off.

And that's different to DDOS attacks to a server. I'm speaking about cracking into SQL and changing SQL querying then gaining permissions to delete/read/modify stuff from your database.

I do not think that phpBB is that easy for crackers ~ but every system is not 100% secure, we do increase security ~ but we do not prevent cracking.
????: NamePros.com http://www.namepros.com/showthread.php?t=103873

Thanks for your input

i386 · 07-11-2005, 03:53 AM

If you want to set php.ini settings to something you want, just use ini_set().

Peter · 07-11-2005, 05:10 AM

not everything can be set using ini_set() and some things can be changed but are pointless changing, for example you can change register_globals in versions lower than 4.2.3 but there is no point as it has already implemented BEFORE the script executes.

liam_d · 07-11-2005, 05:11 AM

I have been reading up http://uk.php.net/manual/en/function...ape-string.php.

Do you do it like this?

PHP Code:

  mysql_query("insert into `blah` set `blah1` = " . mysql_real_escape_string($_POST['blah']) . "");

pratiknaik · 07-11-2005, 05:15 AM

Installing mod_security would provide the solution at higher level and you won't need to bother about SQL Injection/XSS attacks in your code.

http://modsecurity.org/

Thanks,
Pratik

Peter · 07-11-2005, 05:35 AM

Originally Posted by liam_d

I have been reading up http://uk.php.net/manual/en/function...ape-string.php.

Do you do it like this?

PHP Code:

  mysql_query("insert into `blah` set `blah1` = " . mysql_real_escape_string($_POST['blah']) . "");

yes that is correct you sould still use ` around the variable like:-
????: NamePros.com http://www.namepros.com/showthread.php?t=103873

PHP Code:

  mysql_query("insert into `blah` set `blah1` = `" . mysql_real_escape_string($_POST['blah']) . "`");

with your example if you do not have anything after the mysql_real_escape_string($_POST['blah']) there is no need to have . "" its just making extra work for yourself.

Porte · 07-11-2005, 01:08 PM

I agree about the ini configuration thing, not everything you can change. Some things are disabled / enabled on host and you need to write your script considering both cases. Anyway, I think I'm still sticking to the first place form validation like banning these characters from any input at first glance such ' " ; - ( ) and tags, any special characters that can lead to breaking a sql query..and I do not know how much this can help me, but logically if PHP won't process the form until its cleaned from these characters then why use extra security measure, just sharing and I would like some notes on this.

axilant · 07-12-2005, 03:49 PM

at top of your mysql enabled pages:

PHP Code:

  $SQLInjectionRegex = '/[\'")]* *[oO][rR] *.*(.)(.) *= *\\2(?:--)?\\1?/';

$sqlinjectattempt = preg_grep($SQLInjectionRegex, $_REQUEST);

????: NamePros.com http://www.namepros.com/showthread.php?t=103873
if($sqlinjectattempt==true)

{

    die("SQL injection attempt!");

}

07-03-2005, 05:37 PM	THREAD STARTER #1 (permalink)
Porte Senior Member Join Date: May 2005 Location: I'm right here Posts: 3,526	PHP/MySQL Injection Hello, Please share which method you use, and why you think its better than another to prevent possible form attacks in php/mysql? Personally, I'd use some filter to ban SQL commands found within the input. Or just check every string/number that comes out from GET/POST and contains any unexpected data. share yours now, --Thanks for sharing.

07-03-2005, 06:46 PM	#2 (permalink)
majinbuu1023 Senior Member Join Date: Jan 2005 Location: New Zealand Posts: 3,747	put this on your site Code: if attack our php/mySQL we will sue you Cheers __________________ WowHumor.net - Funny World of Warcraft Pictures

07-04-2005, 02:33 AM	#5 (permalink)
liam_d The original NP Emo Kid Join Date: Jan 2005 Location: Plymouth, UK Posts: 1,693 Follow @upurtweet	Make sure you always addslashes doing htmlentities and things like that. __________________ Gaming On Linux - Because Linux is Fun!

07-04-2005, 03:27 AM	#7 (permalink)
liam_d The original NP Emo Kid Join Date: Jan 2005 Location: Plymouth, UK Posts: 1,693 Follow @upurtweet	why is it a bad function, it stops errors when inserting and helps against sqli. but then you are right use mysql_real_escape_string __________________ Gaming On Linux - Because Linux is Fun!

07-04-2005, 06:10 AM	THREAD STARTER #9 (permalink)
Porte Senior Member Join Date: May 2005 Location: I'm right here Posts: 3,526	Guys remember, if the magic_quotes_gpc is turned On in the php.ini file of the server, it will automatically run addslashes() , so if we used addslashes while this function is on, It will escape the string twice...err It always good If you insist about using it to do: if (!get_magic_quotes_gpc()) { ????: NamePros.com http://www.namepros.com/showthread.php?t=103873 addslahes($var); } Just you need to check if magic quotes are on or off on the server. Basically, if its on , it will run addslashes...and I think its a good option. I agree with you about mysql_real_escape_string though, it seems to be the better so far. But any more functions we could use before this even? just to increase security.. I have came up with something, and I need your opinions on it, its that i'll run checks on every input which i expect a string from and validate it against a banned array of words and characters , and if any found, it will just exit the program and return error. Do you think it'll be effective/increasing security? I understand that it will prevent some input like ' " , but assuming that your system doesn't require any single / double quotes. Just sharing.. Thanks for the ideas so far __________________ WP Theme Developer Your One-stop for Premium Magazine/CMS WordPress Themes Deluxe Themes

07-03-2005, 08:04 PM	THREAD STARTER #3 (permalink)
Porte Senior Member Join Date: May 2005 Location: I'm right here Posts: 3,526	Crackers do not care what you put on your site lol that would turn them on.

07-03-2005, 11:01 PM	#4 (permalink)
Virtua Account Suspended Join Date: Jul 2005 Posts: 172	just run anti-flodder in your server, and anit-ddos ... + try to get the highest security in files of php and mysql database !! Dont make it like phpBB the easiest hacked forum Thanks Virtua

07-11-2005, 03:53 AM	#11 (permalink)
i386 NamePros Member Join Date: Oct 2003 Posts: 126	If you want to set php.ini settings to something you want, just use ini_set().

07-11-2005, 05:10 AM	#12 (permalink)
Peter NamePros Expert Join Date: Nov 2003 Location: Scotland Posts: 5,069	not everything can be set using ini_set() and some things can be changed but are pointless changing, for example you can change register_globals in versions lower than 4.2.3 but there is no point as it has already implemented BEFORE the script executes.

07-11-2005, 05:11 AM	#13 (permalink)
liam_d The original NP Emo Kid Join Date: Jan 2005 Location: Plymouth, UK Posts: 1,693 Follow @upurtweet	I have been reading up http://uk.php.net/manual/en/function...ape-string.php. Do you do it like this? PHP Code: mysql_query("insert into `blah` set `blah1` = " . mysql_real_escape_string($_POST['blah']) . ""); __________________ Gaming On Linux - Because Linux is Fun! Last edited by liam_d; 07-11-2005 at 05:15 AM.

07-11-2005, 05:15 AM	#14 (permalink)
pratiknaik Senior Member Join Date: Feb 2005 Location: Lost somewhere in a stack of queues.. Posts: 1,200	Installing mod_security would provide the solution at higher level and you won't need to bother about SQL Injection/XSS attacks in your code. http://modsecurity.org/ Thanks, Pratik __________________ Ruby on Rails Developer - http://m.onkey.org

07-11-2005, 01:08 PM	THREAD STARTER #16 (permalink)
Porte Senior Member Join Date: May 2005 Location: I'm right here Posts: 3,526	I agree about the ini configuration thing, not everything you can change. Some things are disabled / enabled on host and you need to write your script considering both cases. Anyway, I think I'm still sticking to the first place form validation like banning these characters from any input at first glance such ' " ; - ( ) and tags, any special characters that can lead to breaking a sql query..and I do not know how much this can help me, but logically if PHP won't process the form until its cleaned from these characters then why use extra security measure, just sharing and I would like some notes on this. __________________ WP Theme Developer Your One-stop for Premium Magazine/CMS WordPress Themes Deluxe Themes

07-12-2005, 03:49 PM	#17 (permalink)
axilant Account Closed Join Date: May 2004 Location: /etc/passwd Posts: 2,178	at top of your mysql enabled pages: PHP Code: `$SQLInjectionRegex = '/[\'")]* [oO][rR] .(.)(.) = \\2(?:--)?\\1?/'; $sqlinjectattempt = preg_grep($SQLInjectionRegex, $_REQUEST); ????: NamePros.com http://www.namepros.com/showthread.php?t=103873 if($sqlinjectattempt==true) { die("SQL injection attempt!"); }` Last edited by axilant; 07-12-2005 at 03:54 PM.*

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Build your own php/mysql web database	xacto	Content For Sale	0	07-03-2005 08:47 AM
Help needed with personal project. PHP/MySql programming and layouts!	QBert	Website Development	3	11-09-2004 11:52 AM
$1,000-project in PHP/mySQL	Artashes	Web Development Wanted	1	09-29-2004 03:08 AM
Experienced php/mysql coder [FOR HIRE] Low prices!	matrixnet	For Sale / Advertising Board	0	04-12-2004 01:09 PM
[hiring] php/mysql website monitoring script	armstrong	Scripts For Sale	4	11-08-2003 11:10 AM