SQL Attacks

[PC Nerd]

hi guys.

 

im wondering if theres a way to actually detect SQL attacks, instead of just blocking them by filtering the input etc. 

 

What i want to do is have a table in the database, that logs the IP address etc of all SQL injection attacks.............. and display a message "Your IP address has been logged due to an attempted SQL injection Atack"  or someething

 

 

thanks for your help

 

 

[fou2enve]

the only way to do that would be to limit the number of sql queries a specific IP can make, but in the process of doing that you may actually interfere with a normal user. Especially in the scenario where 1000 people share an outside IP, such as a corporation or AOL or something like that.

[dj-kenpo]

whatever function you use to detect attacks, just add an extra line that does an sql insert.

 

still filter it, but then just do an extra line of code.

[corbin]

You could use some cracked out regular expressions....

 

 

Maybe something like

 

$pattern = "/'(.*)(OR|AND)(.*)/i";

 

Well, actually that's pretty basic, but you get what I mean hopefully ;p.

[corbin]

Or... I just thought of another way you could do it....

 

If usernames always match a-zA-Z0-9 and passwords are the same or something like that (basically if they match anything without quotes) you could do the following:

 

$username = $_POST|GET['something'];
$password = blah....;

if($username != addslashes($username) || $password != addslashes($password)) {
//maybe increment a session value or something and then if it's greater than 3 or something assume this person is using quotes an odd amount of times....
}
else {
//continue
}

[MadTechie]

its kinda hard to say what is an attack..without knowing the filtering method and expected data..

the filter i use has different types.. IE numbers/numbers+letters/html

 

of course i could add a routine to numbers/letters & numbers+letters to detect <"-'> etc and then report it but with HTML < translates to < so reporting wouldn't be worth it..

 

just something to think about

[textbox]

These are not something I know a great deal about.

Obviously its best to take precaution, but do they happen a great deal? Are they always malicious and done on purpose by someone, or totally random and bot'ed?

 

[per1os]

They only happen when someone tries it and succeeds. Any person, especially "script kiddies" who find a new way to screw someone and use it, can potentially exploit it.

 

I remember when I was starting out you always looked at the exploits for systems and tried them out. Unfortunately I am not the only one who went through that phase, remember in windows 98 c:con\con  =) I love that one. It is best to code for the worst. Especially when fixing the problem is very simple. Especially for SQL. I would suggest using this function on any POST or GET data entering into a DB:

 

<?php
function myEscape($string) {
       return  get_magic_quotes_gpc()?addcslashes(stripslashes ($string), "\x00\n\are\\'\"\x1a" ):addcslashes($string, "\x00\n\are\\'\"\x1a" );
}

$username = myEscape($_POST['username']);
?>

 

Works without a database and will protect you from SQL injection. Simple as that.

 

And on the IP note, that may not work as IP's are easily spoofed especially with proxies. You could ban a ton of people with 1 IP and not even know it. In order to find them out though you would need an algorithm that checks for certain keywords and phrases.

[PC Nerd]

can anyone help me create that "algorithm" to detect the SQL injection attacks?  I really want to be able to dlock SQL injection attacks from my site...... eg their IP......  so it wouldnt matter if someone if part of a proxy, because it would simply block everyone in that proxy......... is there a way to detect proxy?  if there is, then what would be good is if i can create a script that detects proxy, and block it perminently, or if its not proxy, then  block for a week ( dynamic IP assingments) and if its a repeat offender, then perminently block that user.

 

id be willing to pay a small amount if its possible, so if it is, ill post it in the freelancing section, if i cant do it.

 

 

thanks for your replies,

 

 

[MadTechie]

as i said its hard to say what is classed as an injection..

 

what type of data are you handling ?

 

really you need to break them up into types.. unless its one area ie login

[PC Nerd]

well its mainly a new user form, and a login form.

 

its ony really using Int and Strings as data, the rest of the information is generated by the php script like time etc.

 

i could block  " <>=!" etc. but how do i detect specifically SQL statements?

 

thanks

[MadTechie]

what about

 

<?php
$X = $_POST['username'];
$Y = Filter($X);

if($X != $Y)
{
echo "Attach detected";
}
?>

 

just something basic

[per1os]

Basically to detect those types, you would want to know every possibility, do a google search. Once found just do an eregi check for that sequence.

 

IE:

 

<?php
function verifyField($string) {
    $pattern = "/'(.*)(OR|AND)(.*)/i";
    if (eregi($pattern, $string)) {
          return false;
    }

    return true;
}

if (!verifyField($_POST['username'])) {
     echo 'A SQL Attack has been made!';
} 
?>

 

regex taken from corbin, but using regular expressions it's not too hard, just have to do some testing.

[PC Nerd]

ok, thanks, ill have a look and try differente exampels

 

thanks for your time...  ill leave this open incase anyone has any other ideas