Jump to content

mysql security ?


garyed

Recommended Posts

I have a few questions regarding mainly sql injection. 

 I have three basic queries on my database :

$table1="first_table";
$input1=$_POST['input1 '];  
$input2=$_POST['input2 '];
$result= msql_query ("select * from $table1 where id='$input1' ");
$result_array=mysql_fectch_array($result);
$answer=$result_array[$input2]; 

I run the same query on about 12 different tables and I have about 50 to a hundred different inputs all together.

I'm not worried about if the user inputs incorrect data as much as I am any harmful sql injection.

I've done a little research on mysql_real_escape_string and I saw this idea but I'm not sure how to implement it: 

 

Any ideas welcome

$input_data = array_map('mysql_real_escape_string', $_POST); 

 

 

 

 

Link to comment
Share on other sites

I'm trying to understand this stuff. It's funny how easy it is once you understand it but getting to that point isn't always easy.

For now what I've done is just use mysql_real_escape_string on every possible input on every mysql_query command.

Link to comment
Share on other sites

mysql_real_escape_string() is for string data. Based upon your usage, the user provided value is an ID. If that ID is an integer, then use intval(). Always use the right method of escaping data.

Does that mean mysql_real_escape_string() will not be secure or just that it will not prevent someone from entering a non number? I was thinking of using javascript to check for valid numbers & pop up a warning before the form is entered. The page will not work correctly without javascript enabled so my only concern is some malicious hacker turning off javascript and doing some damage to the database.   

 

Link to comment
Share on other sites

Does that mean mysql_real_escape_string() will not be secure or just that it will not prevent someone from entering a non number?

mysql_real_escape_string() would still be fine for a number, intval() is just a common quick alternative for numeric parameters like IDs. It won't prevent anyone from submitting a non-numerical value, you would have to do that validation separately if you want to check for it.

Link to comment
Share on other sites

mysql_real_escape_string() would still be fine for a number, intval() is just a common quick alternative for numeric parameters like IDs. It won't prevent anyone from submitting a non-numerical value, you would have to do that validation separately if you want to check for it.

Thanks,

I'm just trying to ad some protection to the databases for right now until I learn how to do prepared statements .  I haven't been able to comprehend them yet.  After reading about sql injection I got a little nervous knowing my databases were totally unprotected until now. So for now I used mysql_real_escape_string() on any input that is used in any mysql_query, even dropdown menu inputs. I don't know how anyone could alter a drop down menu input but i heard it is possible.

 

 

 

Link to comment
Share on other sites

 

I don't know how anyone could alter a drop down menu input but i heard it is possible.

To see how easily it is to do this, open any webpage with a drop down menu and paste this in to the browsers console (usually via F12)

document.getElementsByTagName('select')[0].options[0].text = 'bad'; document.getElementsByTagName('select')[0].options[0].value = 'bad';

it will find the first dropdown on the page and override the first option. When the dropdown is submitted this value will now be submitted, not the value you defined in the html.

Edited by Ch0cu3r
Link to comment
Share on other sites

Wow, I didn't know it could be that easy. Now I'm starting to worry about the form action field .  I used to use echo $_SERVER['PHP_SELF'] but started just leaving the action field blank. I guess that's another place a hacker can get to.   

 

Link to comment
Share on other sites

NEVER trust ANYTHING coming from a user. This includes the global vars $_POST, $_GET, $_COOKIE. Even $_SERVER has some values that can be spoofed. Plus, don't assume a user can't directly access a file because they don't know the name. If you have any files that are only included in other files which are within the public folders of a site, you need to ask yourself what would happen if a user was to access the file directly. Any files with sensitive information should be stored outside the public folder. For example, if the root of your site points to a folder called 'mysite', then put files that are included one level up. E.g.

 

|-mysite (root of the site: www.mysite.com)

|   |-aboutus

|   |-contactus

|   |-ourproducts

|

|-includes (not within the accessible root)

|-classes (not within the accessible root)

Edited by Psycho
Link to comment
Share on other sites

Thanks,

I'm just trying to ad some protection to the databases for right now until I learn how to do prepared statements .  I haven't been able to comprehend them yet.  After reading about sql injection I got a little nervous knowing my databases were totally unprotected until now. So for now I used mysql_real_escape_string() on any input that is used in any mysql_query, even dropdown menu inputs. I don't know how anyone could alter a drop down menu input but i heard it is possible.

 

Hi garyed,

 

I'm in a similar situation to yourself where I have become concerned about the security of my SQL database. Would you mind providing an example of the mysql_real_escape_string you have implemented on a mysql_query command? I too am trying to get my head around this stuff but with next to no PHP development experience, it's proving challenging! Looking at your above example, I'm not sure if my database works in exactly the same way as yours, but perhaps the same principal could be applied.

 

Thank you.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.