jamesxg1 Posted February 24, 2009 Share Posted February 24, 2009 <?php # database connection scripts # the next 4 lines you can modify $dbhost = 'localhost'; $dbusername = 'root'; $dbpasswd = ''; $database_name = 'share'; #under here, don't touch! $connection = mysql_connect("$dbhost","$dbusername","$dbpasswd") or die ("Couldn't connect to server."); $db = mysql_select_db("$database_name", $connection) or die("Couldn't select database."); if(!get_magic_quotes_gpc()) { $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST); $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE); } else { $_GET = array_map('stripslashes', $_GET); $_POST = array_map('stripslashes', $_POST); $_COOKIE = array_map('stripslashes', $_COOKIE); $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST); $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE); } ?> This is my database connection script would you say this was secure ?, if not what could i need to make it more secure ? Many thanks James. Quote Link to comment Share on other sites More sharing options...
npsari Posted February 24, 2009 Share Posted February 24, 2009 Actually, i didn't know there is a secure & non secure connections I connect to the database using this only... $con=mysql_connect("$connection", "$name", "$pass"); mysql_select_db("$database", $con); Does that mean it is not secure! Quote Link to comment Share on other sites More sharing options...
jamesxg1 Posted February 24, 2009 Author Share Posted February 24, 2009 Actually, i didn't know there is a secure & non secure connections I connect to the database using this only... $con=mysql_connect("$connection", "$name", "$pass"); mysql_select_db("$database", $con); Does that mean it is not secure! No but every page i have in my project is using requiring this script so i need it pretty tight on security if you know what i mean ? Quote Link to comment Share on other sites More sharing options...
MadTechie Posted February 24, 2009 Share Posted February 24, 2009 really depends on what your doing on your site.. Their is no one quick fix/magic bullet when it comes to security! if your question is will this stop SQL injection from POST, GET, or COOKIEs then yes it will stop most probably all injections entered via POST, GET, or COOKIEs.. Quote Link to comment Share on other sites More sharing options...
jamesxg1 Posted February 24, 2009 Author Share Posted February 24, 2009 really depends on what your doing on your site.. Their is no one quick fix/magic bullet when it comes to security! if your question is will this stop SQL injection from POST, GET, or COOKIEs then yes it will stop most probably all injections entered via POST, GET, or COOKIEs.. yes thats basically all i need to know thankyou (*). Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted February 24, 2009 Share Posted February 24, 2009 <?php # database connection scripts # the next 4 lines you can modify $dbhost = 'localhost'; $dbusername = 'root'; $dbpasswd = ''; $database_name = 'share'; #under here, don't touch! $connection = mysql_connect("$dbhost","$dbusername","$dbpasswd") or die ("Couldn't connect to server."); $db = mysql_select_db("$database_name", $connection) or die("Couldn't select database."); if(!get_magic_quotes_gpc()) { $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST); $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE); } else { $_GET = array_map('stripslashes', $_GET); $_POST = array_map('stripslashes', $_POST); $_COOKIE = array_map('stripslashes', $_COOKIE); $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST); $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE); } ?> This is my database connection script would you say this was secure ?, if not what could i need to make it more secure ? Many thanks James. I don't believe that array_map used at the top-level will work on request data that is itself an array (checkbox results, for example). I use the following function, which I got from someone else on here: <?php function clean($value) { if (is_array($value)) { foreach($value as $k => $v) { $value[$k] = clean($v); } } else { if(get_magic_quotes_gpc() == 1) { $value = stripslashes($value); } $value = trim(htmlspecialchars($value, ENT_QUOTES, "utf-8")); //convert input into friendly characters to stop XSS $value = mysql_real_escape_string($value); } return $value; } ?> Other than that, make sure you validate incoming data...a name, for instance, shouldn't contain an integer. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted February 24, 2009 Share Posted February 24, 2009 Array_map does work properly in that code, test it if you don't believe. Code using just mysql_real_escape_string() won't prevent sql injection with numeric data, only string data (which is why mysql_real_escape_string() is called what it is.) Numeric data must be validated or cast as numeric because it is possible to inject sql using hex (which is automatically treated as a string) without using quotes in it. Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted February 24, 2009 Share Posted February 24, 2009 Numeric data must be validated or cast as numeric because it is possible to inject sql using hex (which is automatically treated as a string) without using quotes in it. Things like this are why I like using MySQLi and its prepared statements. Quote Link to comment Share on other sites More sharing options...
Boo-urns Posted February 24, 2009 Share Posted February 24, 2009 Numeric data must be validated or cast as numeric because it is possible to inject sql using hex (which is automatically treated as a string) without using quotes in it. Things like this are why I like using MySQLi and its prepared statements. So MySQLi protects against that then? Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted February 24, 2009 Share Posted February 24, 2009 Numeric data must be validated or cast as numeric because it is possible to inject sql using hex (which is automatically treated as a string) without using quotes in it. Things like this are why I like using MySQLi and its prepared statements. So MySQLi protects against that then? With prepared statements, type is enforced. You can see how to construct them here: http://us.php.net/manual/en/mysqli.prepare.php And, the kind of datatypes it accepts here: http://us.php.net/manual/en/mysqli-stmt.bind-param.php Prepared statements are also automatically escaped, so you don't need to run something like mysql_real_escape_string(). Quote Link to comment Share on other sites More sharing options...
Boo-urns Posted February 24, 2009 Share Posted February 24, 2009 Prepared statements are also automatically escaped, so you don't need to run something like mysql_real_escape_string(). Wow I didn't realize prepared statements are auto escaped! Thanks for the links as well! Quote Link to comment Share on other sites More sharing options...
jamesxg1 Posted February 24, 2009 Author Share Posted February 24, 2009 Prepared statements are also automatically escaped, so you don't need to run something like mysql_real_escape_string(). Wow I didn't realize prepared statements are auto escaped! Thanks for the links as well! would this work ? <?php # database connection scripts # the next 4 lines you can modify $dbhost = 'localhost'; $dbusername = 'root'; $dbpasswd = ''; $database_name = 'share'; #under here, don't touch! $connection = mysql_connect("$dbhost","$dbusername","$dbpasswd") or die ("Couldn't connect to server."); $db = mysql_select_db("$database_name", $connection) or die("Couldn't select database."); if(!get_magic_quotes_gpc()) { $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST); $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE); } else { $_GET = array_map('stripslashes', $_GET); $_POST = array_map('stripslashes', $_POST); $_COOKIE = array_map('stripslashes', $_COOKIE); $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST); $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE); } function clean($value) { if (is_array($value)) { foreach($value as $k => $v) { $value[$k] = clean($v); } } else { if(get_magic_quotes_gpc() == 1) { $value = stripslashes($value); } $value = trim(htmlspecialchars($value, ENT_QUOTES, "utf-8")); $value = mysql_real_escape_string($value); } return $value; } ?> Quote Link to comment Share on other sites More sharing options...
Boo-urns Posted February 24, 2009 Share Posted February 24, 2009 would this work ? Isn't that the same code as previous? I believe someone recently said it was working. It looks like a great script! I would change your mysql_real_escape_string to mysqli. That's my suggestion anyway. http://us.php.net/manual/en/mysqli.real-escape-string.php Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted February 24, 2009 Share Posted February 24, 2009 Prepared statements are also automatically escaped, so you don't need to run something like mysql_real_escape_string(). Wow I didn't realize prepared statements are auto escaped! Thanks for the links as well! would this work ? <?php # database connection scripts # the next 4 lines you can modify $dbhost = 'localhost'; $dbusername = 'root'; $dbpasswd = ''; $database_name = 'share'; #under here, don't touch! $connection = mysql_connect("$dbhost","$dbusername","$dbpasswd") or die ("Couldn't connect to server."); $db = mysql_select_db("$database_name", $connection) or die("Couldn't select database."); if(!get_magic_quotes_gpc()) { $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST); $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE); } else { $_GET = array_map('stripslashes', $_GET); $_POST = array_map('stripslashes', $_POST); $_COOKIE = array_map('stripslashes', $_COOKIE); $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST); $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE); } function clean($value) { if (is_array($value)) { foreach($value as $k => $v) { $value[$k] = clean($v); } } else { if(get_magic_quotes_gpc() == 1) { $value = stripslashes($value); } $value = trim(htmlspecialchars($value, ENT_QUOTES, "utf-8")); $value = mysql_real_escape_string($value); } return $value; } ?> Change it around to: <?php function clean($value) { if (is_array($value)) { foreach($value as $k => $v) { $value[$k] = clean($v); } } else { if(get_magic_quotes_gpc() == 1) { $value = stripslashes($value); } $value = trim(htmlspecialchars($value, ENT_QUOTES, "utf-8")); $value = mysql_real_escape_string($value); } return $value; } # database connection scripts # the next 4 lines you can modify $dbhost = 'localhost'; $dbusername = 'root'; $dbpasswd = ''; $database_name = 'share'; #under here, don't touch! $connection = mysql_connect("$dbhost","$dbusername","$dbpasswd") or die ("Couldn't connect to server."); $db = mysql_select_db("$database_name", $connection) or die("Couldn't select database."); $_POST = clean($_POST); $_GET = clean($_GET); $_COOKIE = clean($_COOKIE); ?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.