Jump to content


Photo

MySQL Injection


  • Please log in to reply
6 replies to this topic

#1 lpxxfaintxx

lpxxfaintxx
  • Members
  • PipPipPip
  • Advanced Member
  • 181 posts

Posted 10 April 2006 - 01:08 PM

Would adding addslashes and strip_tags to $_POST and $_GET's prevent MySQL injection? If not, what else can I do to improve my site's security?

Concerned Web Master,

LPXXFAINTXX

#2 davidja

davidja
  • Members
  • Pip
  • Newbie
  • 8 posts

Posted 10 April 2006 - 07:08 PM

yes the addslashes will stop MySQL injection.

this how i stop SQL injection.


$Query = "SELECT * FROM table WHERE (field = '".  $Varible ."')";


#3 kenrbnsn

kenrbnsn
  • Staff Alumni
  • Advanced Member
  • 8,235 posts
  • LocationHillsborough, NJ, USA

Posted 10 April 2006 - 07:38 PM

Please read [a href=\"http://shiflett.org/articles/security-corner-apr2004\" target=\"_blank\"]this[/a] article on MySQL Injection prevention.

Ken

#4 jworisek

jworisek
  • Members
  • PipPipPip
  • Advanced Member
  • 112 posts

Posted 10 April 2006 - 08:32 PM

Are there any security concerns with using $_SESSION for tracking user data?


#5 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 11 April 2006 - 09:15 AM

Any data set in $_SESSION variable should be completly trustworthy as you are the one that sets the session data after all! All session data is stored on the server so the user can not see what session data is being set while they are browsing your site. The only thing you'll want to be warry of with sessions is session fixation.

#6 LIJI

LIJI
  • New Members
  • Pip
  • Newbie
  • 6 posts
  • LocationIsrael

Posted 12 April 2006 - 01:38 PM

[!--quoteo(post=363286:date=Apr 10 2006, 03:08 PM:name=lpxxfaintxx)--][div class=\'quotetop\']QUOTE(lpxxfaintxx @ Apr 10 2006, 03:08 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Would adding addslashes and strip_tags to $_POST and $_GET's prevent MySQL injection? If not, what else can I do to improve my site's security?

Concerned Web Master,

LPXXFAINTXX
[/quote]
the best and easiest way to do it is:
mysql_real_escape_string($_POST['value'])) //(or $_GET)
more info:
[a href=\"http://php.net/manual/en/function.mysql-real-escape-string.php\" target=\"_blank\"]http://php.net/manual/en/function.mysql-re...cape-string.php[/a]

#7 Yesideez

Yesideez
  • Members
  • PipPipPip
  • Advanced Member
  • 2,334 posts
  • LocationDevon, UK

Posted 12 April 2006 - 04:28 PM

[!--quoteo(post=363584:date=Apr 11 2006, 10:15 AM:name=wildteen88)--][div class=\'quotetop\']QUOTE(wildteen88 @ Apr 11 2006, 10:15 AM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Any data set in $_SESSION variable should be completly trustworthy as you are the one that sets the session data after all! All session data is stored on the server so the user can not see what session data is being set while they are browsing your site. The only thing you'll want to be warry of with sessions is session fixation.
[/quote]

I'm a moderator on an online game and we had a problem a while back where some players were stealing other player's session IDs and becoming them enabling them to take over accounts. The session IDs were extracted using Javascript and a special browser was used to make use of the stolen session ID.

The way I've got round it for my sites that use databases is to add two functions into the dbconnect include script, one called secureint() and the other securestr() depending on what data I'm expecting to pull from the user.

I've probably gone a bit overkill but here are the two functions:
  function secureint($intstr) {
    settype($instr,'integer');
    $intint=sprintf("%d",$intstr);
    $intint=intval($intint);
    return $intint;
  }
  function securestr($oldstr) {
    $oldstr=trim($oldstr);
    $oldstr=strip_tags($oldstr);
    $oldstr=sprintf("%s",$oldstr);
    addslashes($oldstr);
    return $oldstr;
  }
And now a demo in use:
$numericvar=secureint($_POST['age']);
$stringvar=securestr($_POST['name']);
They work like a charm.
Not a pro just an enthusiast :)

if (empty($coffee)) {$coffee=new coffee();}

Please surround any code using the CODE tags - I rarely look at anything without them




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users