Jump to content


Photo

mysql security ?


  • Please log in to reply
11 replies to this topic

#1 garyed

garyed

    Advanced Member

  • Members
  • PipPipPip
  • 79 posts

Posted 25 January 2014 - 10:42 AM

I have a few questions regarding mainly sql injection. 

 I have three basic queries on my database :

$table1="first_table";
$input1=$_POST['input1 '];  
$input2=$_POST['input2 '];
$result= msql_query ("select * from $table1 where id='$input1' ");
$result_array=mysql_fectch_array($result);
$answer=$result_array[$input2]; 

I run the same query on about 12 different tables and I have about 50 to a hundred different inputs all together.

I'm not worried about if the user inputs incorrect data as much as I am any harmful sql injection.

I've done a little research on mysql_real_escape_string and I saw this idea but I'm not sure how to implement it: 

 

Any ideas welcome

$input_data = array_map('mysql_real_escape_string', $_POST); 



#2 Ch0cu3r

Ch0cu3r

    Advanced Member

  • Moderators
  • 2,303 posts

Posted 25 January 2014 - 11:18 AM

Using mysqli with prepared queries would be better.



#3 garyed

garyed

    Advanced Member

  • Members
  • PipPipPip
  • 79 posts

Posted 25 January 2014 - 04:45 PM

I'm trying to understand this stuff. It's funny how easy it is once you understand it but getting to that point isn't always easy.

For now what I've done is just use mysql_real_escape_string on every possible input on every mysql_query command.



#4 Psycho

Psycho

    Advanced Member

  • Gurus
  • 10,814 posts
  • LocationCanada

Posted 25 January 2014 - 08:23 PM

mysql_real_escape_string() is for string data. Based upon your usage, the user provided value is an ID. If that ID is an integer, then use intval(). Always use the right method of escaping data.


The quality of the responses received is directly proportional to the quality of the question asked.

I do not always test the code I provide, so there may be some syntax errors. In 99% of all cases I found the solution to your problem here: http://www.php.net

#5 garyed

garyed

    Advanced Member

  • Members
  • PipPipPip
  • 79 posts

Posted 26 January 2014 - 11:45 AM

mysql_real_escape_string() is for string data. Based upon your usage, the user provided value is an ID. If that ID is an integer, then use intval(). Always use the right method of escaping data.

Does that mean mysql_real_escape_string() will not be secure or just that it will not prevent someone from entering a non number? I was thinking of using javascript to check for valid numbers & pop up a warning before the form is entered. The page will not work correctly without javascript enabled so my only concern is some malicious hacker turning off javascript and doing some damage to the database.   



#6 kicken

kicken

    Wiser? Not exactly.

  • Gurus
  • 2,709 posts
  • LocationBonita, FL

Posted 26 January 2014 - 12:00 PM

Does that mean mysql_real_escape_string() will not be secure or just that it will not prevent someone from entering a non number?


mysql_real_escape_string() would still be fine for a number, intval() is just a common quick alternative for numeric parameters like IDs. It won't prevent anyone from submitting a non-numerical value, you would have to do that validation separately if you want to check for it.
Recycle your old CD's, don't trash them!
Did I help you out?  Feeling generous? I accept tips via Paypal or Bitcoin @ 14mDxaob8Jgdg52scDbvf3uaeR61tB2yC7

#7 garyed

garyed

    Advanced Member

  • Members
  • PipPipPip
  • 79 posts

Posted 26 January 2014 - 03:11 PM

mysql_real_escape_string() would still be fine for a number, intval() is just a common quick alternative for numeric parameters like IDs. It won't prevent anyone from submitting a non-numerical value, you would have to do that validation separately if you want to check for it.

Thanks,

I'm just trying to ad some protection to the databases for right now until I learn how to do prepared statements .  I haven't been able to comprehend them yet.  After reading about sql injection I got a little nervous knowing my databases were totally unprotected until now. So for now I used mysql_real_escape_string() on any input that is used in any mysql_query, even dropdown menu inputs. I don't know how anyone could alter a drop down menu input but i heard it is possible.



#8 kicken

kicken

    Wiser? Not exactly.

  • Gurus
  • 2,709 posts
  • LocationBonita, FL

Posted 26 January 2014 - 03:21 PM

I don't know how anyone could alter a drop down menu input but i heard it is possible.


By using any of the browser's debugging tools like Firebug, chrome console, etc. Or by just saving the form, editing the HTML to change it, then submit it.
Recycle your old CD's, don't trash them!
Did I help you out?  Feeling generous? I accept tips via Paypal or Bitcoin @ 14mDxaob8Jgdg52scDbvf3uaeR61tB2yC7

#9 Ch0cu3r

Ch0cu3r

    Advanced Member

  • Moderators
  • 2,303 posts

Posted 26 January 2014 - 03:46 PM

 

I don't know how anyone could alter a drop down menu input but i heard it is possible.

To see how easily it is to do this, open any webpage with a drop down menu and paste this in to the browsers console (usually via F12)

document.getElementsByTagName('select')[0].options[0].text = 'bad'; document.getElementsByTagName('select')[0].options[0].value = 'bad';

it will find the first dropdown on the page and override the first option. When the dropdown is submitted this value will now be submitted, not the value you defined in the html.


Edited by Ch0cu3r, 26 January 2014 - 03:47 PM.


#10 garyed

garyed

    Advanced Member

  • Members
  • PipPipPip
  • 79 posts

Posted 27 January 2014 - 09:54 AM

Wow, I didn't know it could be that easy. Now I'm starting to worry about the form action field .  I used to use echo $_SERVER['PHP_SELF'] but started just leaving the action field blank. I guess that's another place a hacker can get to.   



#11 Psycho

Psycho

    Advanced Member

  • Gurus
  • 10,814 posts
  • LocationCanada

Posted 27 January 2014 - 11:33 AM

NEVER trust ANYTHING coming from a user. This includes the global vars $_POST, $_GET, $_COOKIE. Even $_SERVER has some values that can be spoofed. Plus, don't assume a user can't directly access a file because they don't know the name. If you have any files that are only included in other files which are within the public folders of a site, you need to ask yourself what would happen if a user was to access the file directly. Any files with sensitive information should be stored outside the public folder. For example, if the root of your site points to a folder called 'mysite', then put files that are included one level up. E.g.

 

|-mysite (root of the site: www.mysite.com)

|   |-aboutus

|   |-contactus

|   |-ourproducts

|

|-includes (not within the accessible root)

|-classes (not within the accessible root)


Edited by Psycho, 27 January 2014 - 11:36 AM.

The quality of the responses received is directly proportional to the quality of the question asked.

I do not always test the code I provide, so there may be some syntax errors. In 99% of all cases I found the solution to your problem here: http://www.php.net

#12 ben_1uk

ben_1uk

    Advanced Member

  • Members
  • PipPipPip
  • 62 posts

Posted 31 January 2014 - 07:17 AM

Thanks,

I'm just trying to ad some protection to the databases for right now until I learn how to do prepared statements .  I haven't been able to comprehend them yet.  After reading about sql injection I got a little nervous knowing my databases were totally unprotected until now. So for now I used mysql_real_escape_string() on any input that is used in any mysql_query, even dropdown menu inputs. I don't know how anyone could alter a drop down menu input but i heard it is possible.

 

Hi garyed,

 

I'm in a similar situation to yourself where I have become concerned about the security of my SQL database. Would you mind providing an example of the mysql_real_escape_string you have implemented on a mysql_query command? I too am trying to get my head around this stuff but with next to no PHP development experience, it's proving challenging! Looking at your above example, I'm not sure if my database works in exactly the same way as yours, but perhaps the same principal could be applied.

 

Thank you.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Cheap Linux VPS from $5
SSD Storage, 30 day Guarantee
1 TB of BW, 100% Network Uptime

AlphaBit.com