rarebit Posted May 7, 2008 Share Posted May 7, 2008 Since everyone seems to be asking about injection attacks I thought i'd ask about this one I found earlier today. It's in PDF format from www.milw0rm.com entitled Uncommon SQL Injection. is there a standard way to combat this (i'm about to reread so...), e.g. not allow sql commands (prolly surrounded by spaces, but allow within other words)? Link to comment https://forums.phpfreaks.com/topic/104636-injection-boosters/ Share on other sites More sharing options...
DarkWater Posted May 7, 2008 Share Posted May 7, 2008 mysql_real_escape_string. It'll escape any harmful things in a query. =/ Link to comment https://forums.phpfreaks.com/topic/104636-injection-boosters/#findComment-535532 Share on other sites More sharing options...
rarebit Posted May 7, 2008 Author Share Posted May 7, 2008 mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a. There technically not harmful characters, but use sql functions in a special way. See the latter part of that document. Admittedly there are only a few situations and in my case most can be caught with intval, but I wondering whether to write up a regex/strstr function, or whether one might already exist? Link to comment https://forums.phpfreaks.com/topic/104636-injection-boosters/#findComment-535539 Share on other sites More sharing options...
benphp Posted May 7, 2008 Share Posted May 7, 2008 You can set your pages up to accept form values only from your IP address. I think that would fix this kind of attack. <?php if ($_SERVER['REMOTE_ADDR'] == $myip) { //allow variables. } ?> That sort of thing. I'm sure there are other ways to do it. Link to comment https://forums.phpfreaks.com/topic/104636-injection-boosters/#findComment-535548 Share on other sites More sharing options...
rarebit Posted May 7, 2008 Author Share Posted May 7, 2008 Here's an example: www.site.com/news.asp?ArticleID=-1+UNION+SELECT+1,2,3+FROM+INFORMATION_SCHEMA.TABLES-- it's not 'HTTP_REFERER' issue! Is that an XSS or CSRF issue? Link to comment https://forums.phpfreaks.com/topic/104636-injection-boosters/#findComment-535554 Share on other sites More sharing options...
DarkWater Posted May 7, 2008 Share Posted May 7, 2008 If you use mysql_real_escape_string, the QUERY WON'T INJECT ANYTHING AND IT'LL ESCAPE EVERYTHING. =/ That "paper" can only take advantage of non-sanitized inputs. =/ Link to comment https://forums.phpfreaks.com/topic/104636-injection-boosters/#findComment-535557 Share on other sites More sharing options...
rarebit Posted May 7, 2008 Author Share Posted May 7, 2008 Just ran a test and it didn't sanitise it! $s = "-1+UNION+SELECT+1,2,3+FROM+INFORMATION_SCHEMA.TABLES--"; print "::".mysql_real_escape_string($s)."::<br>"; this one conformed though... $s = "' OR ''='"; print "::".mysql_real_escape_string($s)."::<br>"; Link to comment https://forums.phpfreaks.com/topic/104636-injection-boosters/#findComment-535569 Share on other sites More sharing options...
DarkWater Posted May 7, 2008 Share Posted May 7, 2008 Did you try it in a query? No. It wouldn't break the query or else mysql_real_escape_string would have caught it. Link to comment https://forums.phpfreaks.com/topic/104636-injection-boosters/#findComment-535573 Share on other sites More sharing options...
rarebit Posted May 7, 2008 Author Share Posted May 7, 2008 TBH, I can't get it to work even without passing it through mysql_real_escape_string, lol Link to comment https://forums.phpfreaks.com/topic/104636-injection-boosters/#findComment-535588 Share on other sites More sharing options...
Demonic Posted May 7, 2008 Share Posted May 7, 2008 use sprintf Link to comment https://forums.phpfreaks.com/topic/104636-injection-boosters/#findComment-535602 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.