SQL Injection issue

[KellyJ]

Hello,

 

I have a video game site - mostly vBulletin which is fine but there are a few extra bits to the site that I have done myself.

 

I'm pretty new to PHP so my code isn't great.

 

Anyway, I wanted to test my code for SQL Injection but I looked on Google and most of the tools seemed to come from hacker sites etc which I'm not downloading.

 

I eventually found an addon for Firefox called SQL Inject Me and ran that. It said everything was alright but when I checked my MySQL tables they were full of junk code it had inserted.

 

One of my pages doesn't even have any visible fields. It's just a page with a voting submit button and some hidden fields so how does it inject the code into the tables?

 

The insert page code is:

 

$db = mysql_connect("localhost", "username", "password");

mysql_select_db("thedatabase",$db);
$ipaddress = mysql_real_escape_string($_POST['ipaddress']);
$theid = mysql_real_escape_string($_POST['theid']);
$gamert = mysql_real_escape_string($_POST['gamert']);
$serveron = mysql_real_escape_string($_POST['serveron']);

$check= mysql_query("select * from voting2 where ipaddress='$ipaddress'");

$ipname = mysql_fetch_assoc($check);

if($ipname['ipaddress'] == $ipaddress) {
                     echo 'It appears you have already voted. Click <a href="vote.php">here</a> to return to the votes.';


} else {
mysql_query ("INSERT INTO voting2 (theid,ipaddress,gamert,serveron2) 
                VALUES
('$theid','$ipaddress','$gamert','$serveron')");
echo 'Your vote has been added. Click <a href="vote.php">here</a> to view the updated totals.';

}

 

How can I make it safer against SQL injection?

 

Thanks

[KevinM1]

Hidden fields are only 'hidden' in that they don't appear on screen.  They're still visible in your source code.  Also, mysql_real_escape_string is only part of the battle.  You still need to validate incoming data.

[Adam]

Yeah, and I think the 'junk' values are just what it will be using as it tests the forms - doesn't necessarily mean it's open to SQL injections.

[KellyJ]

Hidden fields are only 'hidden' in that they don't appear on screen.  They're still visible in your source code.  Also, mysql_real_escape_string is only part of the battle.  You still need to validate incoming data.

 

So what's the best way to do this?

 

Yeah, and I think the 'junk' values are just what it will be using as it tests the forms - doesn't necessarily mean it's open to SQL injections.

 

This is correct but how do you stop bots filling your tables with crap then? Anything put into your tables will then be displayed on the site.

[KevinM1]

You validate according to the kind of data you expect.  Is a field only supposed to contain numbers?  Check to see if it does.  If not, display an error.  Is a field supposed to contain letters and certain particular non-alphanumeric characters?  Use regex to enforce the format and display an error for incoming data that doesn't comply.

[kickstart]

Hi

 

Stopping bots is a never ending task.

 

You can try many things. Put in a captcha. Vary field names (to make it more difficult to automate). Put in a question for a human to answer. Limit the response time so that any response within a small time of the page being sent are rejected (on the basis no human could fill the form in that quickly). Block ranges of IP addresses. Take an email address and send an email to confirm the vote. Etc.

 

None of these are likely to be 100% proof way of solving the problem. Although the harder you make it the more likely they will just go an find an easier site to attack and spam.

 

As to validation, integers are easy to check and pretty useless for many attacks.

 

All the best

 

Keith

[KellyJ]

Ok thanks.