Jump to content

SQL Attacks


PC Nerd

Recommended Posts

hi guys.

 

im wondering if theres a way to actually detect SQL attacks, instead of just blocking them by filtering the input etc. 

 

What i want to do is have a table in the database, that logs the IP address etc of all SQL injection attacks.............. and display a message "Your IP address has been logged due to an attempted SQL injection Atack"  or someething

 

 

thanks for your help

 

 

Link to comment
Share on other sites

the only way to do that would be to limit the number of sql queries a specific IP can make, but in the process of doing that you may actually interfere with a normal user. Especially in the scenario where 1000 people share an outside IP, such as a corporation or AOL or something like that.

Link to comment
Share on other sites

Or... I just thought of another way you could do it....

 

If usernames always match a-zA-Z0-9 and passwords are the same or something like that (basically if they match anything without quotes) you could do the following:

 

$username = $_POST|GET['something'];
$password = blah....;

if($username != addslashes($username) || $password != addslashes($password)) {
//maybe increment a session value or something and then if it's greater than 3 or something assume this person is using quotes an odd amount of times....
}
else {
//continue
}

Link to comment
Share on other sites

its kinda hard to say what is an attack..without knowing the filtering method and expected data..

the filter i use has different types.. IE numbers/numbers+letters/html

 

of course i could add a routine to numbers/letters & numbers+letters to detect <"-'> etc and then report it but with HTML < translates to < so reporting wouldn't be worth it..

 

just something to think about

Link to comment
Share on other sites

They only happen when someone tries it and succeeds. Any person, especially "script kiddies" who find a new way to screw someone and use it, can potentially exploit it.

 

I remember when I was starting out you always looked at the exploits for systems and tried them out. Unfortunately I am not the only one who went through that phase, remember in windows 98 c:con\con  =) I love that one. It is best to code for the worst. Especially when fixing the problem is very simple. Especially for SQL. I would suggest using this function on any POST or GET data entering into a DB:

 

<?php
function myEscape($string) {
       return  get_magic_quotes_gpc()?addcslashes(stripslashes ($string), "\x00\n\are\\'\"\x1a" ):addcslashes($string, "\x00\n\are\\'\"\x1a" );
}

$username = myEscape($_POST['username']);
?>

 

Works without a database and will protect you from SQL injection. Simple as that.

 

And on the IP note, that may not work as IP's are easily spoofed especially with proxies. You could ban a ton of people with 1 IP and not even know it. In order to find them out though you would need an algorithm that checks for certain keywords and phrases.

Link to comment
Share on other sites

can anyone help me create that "algorithm" to detect the SQL injection attacks?  I really want to be able to dlock SQL injection attacks from my site...... eg their IP......  so it wouldnt matter if someone if part of a proxy, because it would simply block everyone in that proxy......... is there a way to detect proxy?  if there is, then what would be good is if i can create a script that detects proxy, and block it perminently, or if its not proxy, then  block for a week ( dynamic IP assingments) and if its a repeat offender, then perminently block that user.

 

id be willing to pay a small amount if its possible, so if it is, ill post it in the freelancing section, if i cant do it.

 

 

thanks for your replies,

 

 

Link to comment
Share on other sites

well its mainly a new user form, and a login form.

 

its ony really using Int and Strings as data, the rest of the information is generated by the php script like time etc.

 

i could block  " <>=!" etc. but how do i detect specifically SQL statements?

 

thanks

Link to comment
Share on other sites

Basically to detect those types, you would want to know every possibility, do a google search. Once found just do an eregi check for that sequence.

 

IE:

 

<?php
function verifyField($string) {
    $pattern = "/'(.*)(OR|AND)(.*)/i";
    if (eregi($pattern, $string)) {
          return false;
    }

    return true;
}

if (!verifyField($_POST['username'])) {
     echo 'A SQL Attack has been made!';
} 
?>

 

regex taken from corbin, but using regular expressions it's not too hard, just have to do some testing.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.