mysql security ?

[garyed]

I have a few questions regarding mainly sql injection. 

 I have three basic queries on my database :

$table1="first_table";
$input1=$_POST['input1 '];  
$input2=$_POST['input2 '];
$result= msql_query ("select * from $table1 where id='$input1' ");
$result_array=mysql_fectch_array($result);
$answer=$result_array[$input2]; 

I run the same query on about 12 different tables and I have about 50 to a hundred different inputs all together.

I'm not worried about if the user inputs incorrect data as much as I am any harmful sql injection.

I've done a little research on mysql_real_escape_string and I saw this idea but I'm not sure how to implement it: 

 

Any ideas welcome

$input_data = array_map('mysql_real_escape_string', $_POST); 

 

 

 

 

[Ch0cu3r]

Using mysqli with prepared queries would be better.

[garyed]

I'm trying to understand this stuff. It's funny how easy it is once you understand it but getting to that point isn't always easy.

For now what I've done is just use mysql_real_escape_string on every possible input on every mysql_query command.

[Psycho]

mysql_real_escape_string() is for string data. Based upon your usage, the user provided value is an ID. If that ID is an integer, then use intval(). Always use the right method of escaping data.

[garyed]

mysql_real_escape_string() is for string data. Based upon your usage, the user provided value is an ID. If that ID is an integer, then use intval(). Always use the right method of escaping data.

Does that mean mysql_real_escape_string() will not be secure or just that it will not prevent someone from entering a non number? I was thinking of using javascript to check for valid numbers & pop up a warning before the form is entered. The page will not work correctly without javascript enabled so my only concern is some malicious hacker turning off javascript and doing some damage to the database.   

 

[kicken]

Does that mean mysql_real_escape_string() will not be secure or just that it will not prevent someone from entering a non number?

mysql_real_escape_string() would still be fine for a number, intval() is just a common quick alternative for numeric parameters like IDs. It won't prevent anyone from submitting a non-numerical value, you would have to do that validation separately if you want to check for it.

[garyed]

mysql_real_escape_string() would still be fine for a number, intval() is just a common quick alternative for numeric parameters like IDs. It won't prevent anyone from submitting a non-numerical value, you would have to do that validation separately if you want to check for it.

Thanks,

I'm just trying to ad some protection to the databases for right now until I learn how to do prepared statements .  I haven't been able to comprehend them yet.  After reading about sql injection I got a little nervous knowing my databases were totally unprotected until now. So for now I used mysql_real_escape_string() on any input that is used in any mysql_query, even dropdown menu inputs. I don't know how anyone could alter a drop down menu input but i heard it is possible.

 

 

 

[kicken]

I don't know how anyone could alter a drop down menu input but i heard it is possible.

By using any of the browser's debugging tools like Firebug, chrome console, etc. Or by just saving the form, editing the HTML to change it, then submit it.

[Ch0cu3r]

 

I don't know how anyone could alter a drop down menu input but i heard it is possible.

To see how easily it is to do this, open any webpage with a drop down menu and paste this in to the browsers console (usually via F12)

document.getElementsByTagName('select')[0].options[0].text = 'bad'; document.getElementsByTagName('select')[0].options[0].value = 'bad';

it will find the first dropdown on the page and override the first option. When the dropdown is submitted this value will now be submitted, not the value you defined in the html.

Edited January 26, 2014 by Ch0cu3r

[garyed]

Wow, I didn't know it could be that easy. Now I'm starting to worry about the form action field .  I used to use echo $_SERVER['PHP_SELF'] but started just leaving the action field blank. I guess that's another place a hacker can get to.   

 

[Psycho]

NEVER trust ANYTHING coming from a user. This includes the global vars $_POST, $_GET, $_COOKIE. Even $_SERVER has some values that can be spoofed. Plus, don't assume a user can't directly access a file because they don't know the name. If you have any files that are only included in other files which are within the public folders of a site, you need to ask yourself what would happen if a user was to access the file directly. Any files with sensitive information should be stored outside the public folder. For example, if the root of your site points to a folder called 'mysite', then put files that are included one level up. E.g.

 

|-mysite (root of the site: www.mysite.com)

|   |-aboutus

|   |-contactus

|   |-ourproducts

|

|-includes (not within the accessible root)

|-classes (not within the accessible root)

Edited January 27, 2014 by Psycho

[ben_1uk]

Thanks,

I'm just trying to ad some protection to the databases for right now until I learn how to do prepared statements .  I haven't been able to comprehend them yet.  After reading about sql injection I got a little nervous knowing my databases were totally unprotected until now. So for now I used mysql_real_escape_string() on any input that is used in any mysql_query, even dropdown menu inputs. I don't know how anyone could alter a drop down menu input but i heard it is possible.

 

Hi garyed,

 

I'm in a similar situation to yourself where I have become concerned about the security of my SQL database. Would you mind providing an example of the mysql_real_escape_string you have implemented on a mysql_query command? I too am trying to get my head around this stuff but with next to no PHP development experience, it's proving challenging! Looking at your above example, I'm not sure if my database works in exactly the same way as yours, but perhaps the same principal could be applied.

 

Thank you.