Jump to content


Photo

insert data safely into MySQL database. (PHP)


  • Please log in to reply
7 replies to this topic

#1 jasonc

jasonc
  • Members
  • PipPipPip
  • Advanced Member
  • 841 posts

Posted 09 May 2006 - 10:26 PM

MySQL Injection is something I have been told to think about.

Please can someone give me something more than what I have seen on the net, not got a clue where to look!!

I know that inserting data without checking it first is a no no.

But how, I am wanting to check that the email address IS an email address and that the persons Name is leter from a-z or A-Z and thats it really, all the other info that will go in the DB will be from pull down menu lists so that should be safe to go straight in?

Do I just do a search of the characters entered in each field that they are from A-Z or a-z and 1-9 ?
or is there still more I have to think about?

thanks in advance for your help.


#2 Caesar

Caesar
  • Members
  • PipPipPip
  • Advanced Member
  • 1,025 posts

Posted 09 May 2006 - 11:06 PM

Another thing to consider, is to make sure the script with the connection to MySQL is local.

Something like:

<?php

if ($_SERVER['SERVER_NAME'] == "www.yourdomain.com")

{// DB Connection Here//}

else

{echo'No Worky.';exit;}

?>

Of course that is not a solution...as someone could be executing scripts from within your domain. But it is another base to cover
PHP Ninja

#3 jasonc

jasonc
  • Members
  • PipPipPip
  • Advanced Member
  • 841 posts

Posted 10 May 2006 - 07:50 AM

'local' ?

that a new one on me !!

never even thought of that one. CHEERS.


execute scripts from within my domain ? how, thought i could only do that, or do you mean that if someone tries lets say,
www.site.com/scripts/addentrytodatabase.php
to run a script on its own?

if so, i have thought of that, i have created many scripts all in a different file, all with ambiguos names !!

or is there another way it can be done ?


also how do i actually check that the text they typed in is letter and numbers only?
is there a easy way to check?


thanks

#4 448191

448191
  • Staff Alumni
  • Advanced Member
  • 3,545 posts
  • LocationNetherlands

Posted 10 May 2006 - 10:14 AM

SQL injection can be prevented by using common sense.

Like you already said: always distrust any external data. Validate everything.

Example:
mysql_query('SELECT username FROM users ORDER BY username '.$_GET['ORDER']);

This is very, very wrong. You just assume there is now malicious data in there.

Exploit:
script.php?order=desc; DROP TABLE users

Yes, that will drop the table 'users'...

Always validate ALL external data!
if($_GET['ORDER'] !== 'desc' || $_GET['ORDER'] !== 'asc') {
   trigger_error('SQL injection attempt!',E_USER_ERROR);
}
   else {
   mysql_query('SELECT username FROM users ORDER BY username '.$_GET['ORDER']);
}

Another important note:

When accessing / comparing values, let mysql know you're expecting VALUES!
Example:
[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]mysql_query('SELECT level FROM users WHERE username = '.$_POST['username'].' AND psw = '.$_POST['psw']); [/quote]

Argh! I can just attach something to the query!
I just create a simple script, setting the targeted script as action. I then send the username I want and $_POST['psw'], containing "anything OR 1=1".

I can login as anyone I like now!*

The above exploit could be prevented by using quotes (you're expecting a value, not a keyword):
[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]mysql_query('SELECT level FROM users WHERE username = "'.$_POST['username'].'" AND psw = "'.$_POST['psw']).'"'; [/quote]

SELECT `level` FROM users WHERE username = "448191" AND psw = "anything OR 1=1";
Won't get you logged in!

Also, validate the referrer ($_SERVER['http_referrer']), that'll make it a lot harder to sneak in any $_POST variables...

*EDIT:
Come to think of it: SELECT level FROM users WHERE username = 448191 AND psw = anything OR 1=1 won't get you logged in either: it'll just return all the values of column 'level' in the table!

But you get the idea... [img src=\"style_emoticons/[#EMO_DIR#]/laugh.gif\" style=\"vertical-align:middle\" emoid=\":laugh:\" border=\"0\" alt=\"laugh.gif\" /]

#5 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 10 May 2006 - 10:29 AM

valadate email with eregi ok.

if(!eregi("^[a-z0-9_]+@[a-z0-9\_]+\.[a-z0-9\-\_]+$",$email)) {

echo " sorry only valid email address allowed";
}



448191
can you kindly x the EXploit: code out please cheers.
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#6 448191

448191
  • Staff Alumni
  • Advanced Member
  • 3,545 posts
  • LocationNetherlands

Posted 10 May 2006 - 10:46 AM

[!--quoteo(post=372867:date=May 10 2006, 05:29 AM:name=redarrow)--][div class=\'quotetop\']QUOTE(redarrow @ May 10 2006, 05:29 AM) View Post[/div][div class=\'quotemain\'][!--quotec--]
448191
can you kindly x the EXploit: code out please cheers.
[/quote]

That was a typo and I was still editing, chill out. Running for mod or what?


#7 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 10 May 2006 - 10:54 AM

[!--quoteo(post=372874:date=May 10 2006, 10:46 AM:name=448191)--][div class=\'quotetop\']QUOTE(448191 @ May 10 2006, 10:46 AM) View Post[/div][div class=\'quotemain\'][!--quotec--]
That was a typo and I was still editing, chill out. Running for mod or what?
[/quote]

sorry for asking
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#8 448191

448191
  • Staff Alumni
  • Advanced Member
  • 3,545 posts
  • LocationNetherlands

Posted 10 May 2006 - 10:57 AM

That's okay, just give people a break. I feel I do a lot to make my posts readable, like using caps when required... [img src=\"style_emoticons/[#EMO_DIR#]/wink.gif\" style=\"vertical-align:middle\" emoid=\":wink:\" border=\"0\" alt=\"wink.gif\" /]




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users