Orionsbelter Posted July 23, 2008 Share Posted July 23, 2008 i keep getting people using MYSQL INJECTION on my website but i have over 300 scripts and it could be most of them. Is there anyway i can find out which script it is? i tried asking them but they are not very helpful. Quote Link to comment https://forums.phpfreaks.com/topic/116174-mysql-injection/ Share on other sites More sharing options...
unkwntech Posted July 23, 2008 Share Posted July 23, 2008 Well just secure all of them. Add this to the top of all the pages with SQL on them mysql_real_escape_string($_GET); //or $_POST if you use post. Quote Link to comment https://forums.phpfreaks.com/topic/116174-mysql-injection/#findComment-597401 Share on other sites More sharing options...
Orionsbelter Posted July 23, 2008 Author Share Posted July 23, 2008 you joking? oh i've been going through all the pages and adding it to each $_POST Grrrrrr:@ thanks mate. Quote Link to comment https://forums.phpfreaks.com/topic/116174-mysql-injection/#findComment-597406 Share on other sites More sharing options...
MasterACE14 Posted July 23, 2008 Share Posted July 23, 2008 its a long and repetitive task, but someones got to do it Quote Link to comment https://forums.phpfreaks.com/topic/116174-mysql-injection/#findComment-597408 Share on other sites More sharing options...
unkwntech Posted July 23, 2008 Share Posted July 23, 2008 If you have access to change settings in the PHP ini, (which you usualy can, call you host) then set 'magic_quotes_gpc 1' and you won't need to do this. Quote Link to comment https://forums.phpfreaks.com/topic/116174-mysql-injection/#findComment-597411 Share on other sites More sharing options...
Orionsbelter Posted July 23, 2008 Author Share Posted July 23, 2008 so all i need to do is go on the php.ini which i can and set that? Quote Link to comment https://forums.phpfreaks.com/topic/116174-mysql-injection/#findComment-597413 Share on other sites More sharing options...
unkwntech Posted July 23, 2008 Share Posted July 23, 2008 Yes, you can read up on it here http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc Quote Link to comment https://forums.phpfreaks.com/topic/116174-mysql-injection/#findComment-597419 Share on other sites More sharing options...
Kairu Posted July 23, 2008 Share Posted July 23, 2008 You could always create a script to add that to the top of every script. Quote Link to comment https://forums.phpfreaks.com/topic/116174-mysql-injection/#findComment-597424 Share on other sites More sharing options...
MasterACE14 Posted July 23, 2008 Share Posted July 23, 2008 If you have access to change settings in the PHP ini, (which you usualy can, call you host) then set 'magic_quotes_gpc 1' and you won't need to do this. thats a dodgy fix. I believe magic quotes are going in PHP 6 anyway. So secure your scripts, No need to be lazy, even if it is 300 files to change Quote Link to comment https://forums.phpfreaks.com/topic/116174-mysql-injection/#findComment-597426 Share on other sites More sharing options...
unkwntech Posted July 23, 2008 Share Posted July 23, 2008 lol I was doing something like that today, only I was removing something from 387 different scripts. Quote Link to comment https://forums.phpfreaks.com/topic/116174-mysql-injection/#findComment-597428 Share on other sites More sharing options...
unkwntech Posted July 23, 2008 Share Posted July 23, 2008 If you have access to change settings in the PHP ini, (which you usualy can, call you host) then set 'magic_quotes_gpc 1' and you won't need to do this. thats a dodgy fix. I believe magic quotes are going in PHP 6 anyway. So secure your scripts, No need to be lazy, even if it is 300 files to change This is correct. In the short term to stop the SQL injection set the PHP setting, BUT also secure your scripts. Quote Link to comment https://forums.phpfreaks.com/topic/116174-mysql-injection/#findComment-597430 Share on other sites More sharing options...
MadTechie Posted July 23, 2008 Share Posted July 23, 2008 Turning Magic quotes on will only reduce the risk it won't stop people using all types SQL Injection. plus will could cause other problems, i find magic quotes a nightmare Quote Link to comment https://forums.phpfreaks.com/topic/116174-mysql-injection/#findComment-597437 Share on other sites More sharing options...
waynew Posted July 23, 2008 Share Posted July 23, 2008 Use mysql_real_escape_string or hang up your boots. Quote Link to comment https://forums.phpfreaks.com/topic/116174-mysql-injection/#findComment-597438 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.