PC Nerd Posted May 24, 2007 Share Posted May 24, 2007 hi guys. im wondering if theres a way to actually detect SQL attacks, instead of just blocking them by filtering the input etc. What i want to do is have a table in the database, that logs the IP address etc of all SQL injection attacks.............. and display a message "Your IP address has been logged due to an attempted SQL injection Atack" or someething thanks for your help Quote Link to comment https://forums.phpfreaks.com/topic/52879-sql-attacks/ Share on other sites More sharing options...
fou2enve Posted May 24, 2007 Share Posted May 24, 2007 the only way to do that would be to limit the number of sql queries a specific IP can make, but in the process of doing that you may actually interfere with a normal user. Especially in the scenario where 1000 people share an outside IP, such as a corporation or AOL or something like that. Quote Link to comment https://forums.phpfreaks.com/topic/52879-sql-attacks/#findComment-261098 Share on other sites More sharing options...
dj-kenpo Posted May 24, 2007 Share Posted May 24, 2007 whatever function you use to detect attacks, just add an extra line that does an sql insert. still filter it, but then just do an extra line of code. Quote Link to comment https://forums.phpfreaks.com/topic/52879-sql-attacks/#findComment-261100 Share on other sites More sharing options...
corbin Posted May 24, 2007 Share Posted May 24, 2007 You could use some cracked out regular expressions.... Maybe something like $pattern = "/'(.*)(OR|AND)(.*)/i"; Well, actually that's pretty basic, but you get what I mean hopefully ;p. Quote Link to comment https://forums.phpfreaks.com/topic/52879-sql-attacks/#findComment-261102 Share on other sites More sharing options...
corbin Posted May 24, 2007 Share Posted May 24, 2007 Or... I just thought of another way you could do it.... If usernames always match a-zA-Z0-9 and passwords are the same or something like that (basically if they match anything without quotes) you could do the following: $username = $_POST|GET['something']; $password = blah....; if($username != addslashes($username) || $password != addslashes($password)) { //maybe increment a session value or something and then if it's greater than 3 or something assume this person is using quotes an odd amount of times.... } else { //continue } Quote Link to comment https://forums.phpfreaks.com/topic/52879-sql-attacks/#findComment-261113 Share on other sites More sharing options...
MadTechie Posted May 24, 2007 Share Posted May 24, 2007 its kinda hard to say what is an attack..without knowing the filtering method and expected data.. the filter i use has different types.. IE numbers/numbers+letters/html of course i could add a routine to numbers/letters & numbers+letters to detect <"-'> etc and then report it but with HTML < translates to < so reporting wouldn't be worth it.. just something to think about Quote Link to comment https://forums.phpfreaks.com/topic/52879-sql-attacks/#findComment-261152 Share on other sites More sharing options...
textbox Posted May 24, 2007 Share Posted May 24, 2007 These are not something I know a great deal about. Obviously its best to take precaution, but do they happen a great deal? Are they always malicious and done on purpose by someone, or totally random and bot'ed? Quote Link to comment https://forums.phpfreaks.com/topic/52879-sql-attacks/#findComment-261155 Share on other sites More sharing options...
per1os Posted May 24, 2007 Share Posted May 24, 2007 They only happen when someone tries it and succeeds. Any person, especially "script kiddies" who find a new way to screw someone and use it, can potentially exploit it. I remember when I was starting out you always looked at the exploits for systems and tried them out. Unfortunately I am not the only one who went through that phase, remember in windows 98 c:con\con =) I love that one. It is best to code for the worst. Especially when fixing the problem is very simple. Especially for SQL. I would suggest using this function on any POST or GET data entering into a DB: <?php function myEscape($string) { return get_magic_quotes_gpc()?addcslashes(stripslashes ($string), "\x00\n\are\\'\"\x1a" ):addcslashes($string, "\x00\n\are\\'\"\x1a" ); } $username = myEscape($_POST['username']); ?> Works without a database and will protect you from SQL injection. Simple as that. And on the IP note, that may not work as IP's are easily spoofed especially with proxies. You could ban a ton of people with 1 IP and not even know it. In order to find them out though you would need an algorithm that checks for certain keywords and phrases. Quote Link to comment https://forums.phpfreaks.com/topic/52879-sql-attacks/#findComment-261174 Share on other sites More sharing options...
PC Nerd Posted May 25, 2007 Author Share Posted May 25, 2007 can anyone help me create that "algorithm" to detect the SQL injection attacks? I really want to be able to dlock SQL injection attacks from my site...... eg their IP...... so it wouldnt matter if someone if part of a proxy, because it would simply block everyone in that proxy......... is there a way to detect proxy? if there is, then what would be good is if i can create a script that detects proxy, and block it perminently, or if its not proxy, then block for a week ( dynamic IP assingments) and if its a repeat offender, then perminently block that user. id be willing to pay a small amount if its possible, so if it is, ill post it in the freelancing section, if i cant do it. thanks for your replies, Quote Link to comment https://forums.phpfreaks.com/topic/52879-sql-attacks/#findComment-261382 Share on other sites More sharing options...
MadTechie Posted May 25, 2007 Share Posted May 25, 2007 as i said its hard to say what is classed as an injection.. what type of data are you handling ? really you need to break them up into types.. unless its one area ie login Quote Link to comment https://forums.phpfreaks.com/topic/52879-sql-attacks/#findComment-261440 Share on other sites More sharing options...
PC Nerd Posted May 25, 2007 Author Share Posted May 25, 2007 well its mainly a new user form, and a login form. its ony really using Int and Strings as data, the rest of the information is generated by the php script like time etc. i could block " <>=!" etc. but how do i detect specifically SQL statements? thanks Quote Link to comment https://forums.phpfreaks.com/topic/52879-sql-attacks/#findComment-261473 Share on other sites More sharing options...
MadTechie Posted May 25, 2007 Share Posted May 25, 2007 what about <?php $X = $_POST['username']; $Y = Filter($X); if($X != $Y) { echo "Attach detected"; } ?> just something basic Quote Link to comment https://forums.phpfreaks.com/topic/52879-sql-attacks/#findComment-261477 Share on other sites More sharing options...
per1os Posted May 25, 2007 Share Posted May 25, 2007 Basically to detect those types, you would want to know every possibility, do a google search. Once found just do an eregi check for that sequence. IE: <?php function verifyField($string) { $pattern = "/'(.*)(OR|AND)(.*)/i"; if (eregi($pattern, $string)) { return false; } return true; } if (!verifyField($_POST['username'])) { echo 'A SQL Attack has been made!'; } ?> regex taken from corbin, but using regular expressions it's not too hard, just have to do some testing. Quote Link to comment https://forums.phpfreaks.com/topic/52879-sql-attacks/#findComment-261601 Share on other sites More sharing options...
PC Nerd Posted May 26, 2007 Author Share Posted May 26, 2007 ok, thanks, ill have a look and try differente exampels thanks for your time... ill leave this open incase anyone has any other ideas Quote Link to comment https://forums.phpfreaks.com/topic/52879-sql-attacks/#findComment-261954 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.