Crew-Portal Posted December 13, 2007 Share Posted December 13, 2007 Would any of you fine gentlemen be at all interested in posting ways I can secure my PHP scripts from SQL Injection? I am not a hacker so I do not know how there done and I do not know how to protect myself. Ive been SQL Injected before and it sucks big time! All I know is: MySQL_real_escape_string(); Quote Link to comment Share on other sites More sharing options...
xProteuSx Posted December 13, 2007 Share Posted December 13, 2007 My understanding is that if you follow this procedure, you are (supposedly) safe from MySQL injection attacks: Before you input any values to your DB, run the values through the MySQL_real_escape_string() function. ie. $password = $_POST['password']; $password = mysql_real_escape_string($password); Now you can run your INSERT query and insert data stored in the $password variable into your DB. Quote Link to comment Share on other sites More sharing options...
PHP_PhREEEk Posted December 13, 2007 Share Posted December 13, 2007 There is not one answer to your question. It all depends on the data you are handling, and each case is different. Using maxlength limits in your POST forms is good, and then use substr() to make sure those constraints are kept. Using character classes is a good idea too, since many form elements do not require much beyond alpha-numeric characters. For me, it really boils down to understanding each individual piece of data and what you will accept for that input. For most form fields, you can really nail this down. For text areas, this gets more challenging since you need to be more flexible with allowed characters. I also setup some array elements with known hack/injection syntax and search through data for them (especially JOIN and UNION). Suffice to say, script security is a multi-layered ambition, and it's something you just have to learn as you go along. PhREEEk Quote Link to comment Share on other sites More sharing options...
Crew-Portal Posted December 13, 2007 Author Share Posted December 13, 2007 Keep Getting hacked till I stop getting hacked. Okay that makes sencse, Ill just make sure I make backups of my databases and stuff like idk every week or couple of days. Thanks! and ya Ill use mysql_real_escape_string(); But I got one last question. Is it possible for someone to upload a file to my comp using sql injection? because I think someone did on my ?page= area. Quote Link to comment Share on other sites More sharing options...
xProteuSx Posted December 13, 2007 Share Posted December 13, 2007 I don't know how its done, but I know that one of the sites I administrate did get hacked via a SQL injection, and they did manage to upload a bunch of content. Quote Link to comment Share on other sites More sharing options...
trq Posted December 13, 2007 Share Posted December 13, 2007 You can't upload a file via sql injection. All you can do is tamper with the database. If your having files uploaded to your site, change your ftp details (password). If you have shell access I would use that rather than ftp as its alot more secure. Quote Link to comment Share on other sites More sharing options...
xProteuSx Posted December 18, 2007 Share Posted December 18, 2007 Ofcourse you cannot upload files using a SQL injection. However, there are ways in which to tamper with the DB so that you can upload files to a site. I really could not tell you what the process is. If you have a file upload section that is accessible to administrators only, hackers could give themselves access to this section via an SQL injection attack, then upload files which are usually canned scripts that give them total access to a site. I have been a victim of this, so I know that one way or another, SQL injection holes can lead to files being uploaded to your site, even if indirectly. Quote Link to comment Share on other sites More sharing options...
corbin Posted December 18, 2007 Share Posted December 18, 2007 Instead of just telling you to use mysql_real_escape_string, maybe explaining what you're protecting against will help more. OK, let's pretend you have this as a page: <?php session_start(); if(isset($_POST['username'])) { //user submitted form. $username = $_POST['username']; $password = (isset($_POST['password'])) ? $_POST['password'] : ''; $q = "SELECT user_id FROM users WHERE username = '{$username}' AND password = '{$password}'"; $q = mysql_query($q); if(mysql_num_rows($q) != 0) { $r = mysql_fetch_assoc($q); $_SESSION['user_id'] = $r['user_id']; $_SESSION['username'] = $username; } else { echo 'Incorrect Login'; //show form } } else { //output form for logging in } ?> At first glance, this looks like it would be fine. If someone was to enter Corbin for the username and password for the password, the query would look like: SELECT user_id FROM users WHERE username = 'Corbin' AND password = 'password' There's only one problem with this.... What if someone enters a special SQL character. Obviously, putting a quote in either the username or password field would cause problems, and -- (outside of quotes) means ignore the rest of the query, so what if someone put in Admin for the username and ' OR 1=1-- for the password. All of a sudden, the query would be: SELECT user_id FROM users WHERE username = 'Admin' AND password = '' OR 1=1--' Since 1=1 would always be true, this would return a record (assuming data was present). What if that quote had been escape, the entire problem would have been avoided.... If the lines where $username and $password were set to use mysql_real_escape_string, the query would look like this: SELECT user_id FROM users WHERE username = 'Admin' AND password = '\' OR 1=1--' That would be perfectly safe, unless Admin happened to have the password ' OR 1=1--. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.