sql injections

  • kit
  • Born
  • Born
  • kit
  • Posts: 1
  • Loc: South Africa

Post 3+ Months Ago

Hey,
I am new to MySql and I was wondering how to prevent sql attacks. Would mysql_real_escape_string help? If so, where exactly should I insert it into a script?

Sorry if this question sounds silly, but I’m really new to this.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • PolishHurricane
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1585

Post 3+ Months Ago

http://us.php.net/mysql_real_escape_string
and scroll down to "Example #3 A "Best Practice" query", it's not really a BEST BEST practice but it's good enough.

A tip, to instantly secure half of your input, just intval() all integers. That will solve half your problems. You don't have to escape them any other way.

This is probably better to use on your input instead of the clutter of the conditional statement with "if(get_magic_quotes_gpc())":

Code: [ Select ]
 
function SmartRemoveSlashes($value='')
{
//This function removes slashes placed there by PHP so you can do your own string escaping, and attempts to remove them off of arrays, It's pretty reliable though
return (get_magic_quotes_gpc()) ? (is_array($value) ? array_map("stripslashes", $value) : stripslashes($value)) : $value;
}
 
$name = SmartRemoveSlashes($_REQUEST['name']);
 
  1.  
  2. function SmartRemoveSlashes($value='')
  3. {
  4. //This function removes slashes placed there by PHP so you can do your own string escaping, and attempts to remove them off of arrays, It's pretty reliable though
  5. return (get_magic_quotes_gpc()) ? (is_array($value) ? array_map("stripslashes", $value) : stripslashes($value)) : $value;
  6. }
  7.  
  8. $name = SmartRemoveSlashes($_REQUEST['name']);
  9.  


I believe they are entirely removing magic quotes in PHP6 though.
  • moniqu
  • Novice
  • Novice
  • moniqu
  • Posts: 32

Post 3+ Months Ago

Here's a whitepaper about SQL injections
http://www.securiteam.com/securityrevie ... 1P76E.html

and some more papers:

SQL Injection Attacks and Some Tips on How to Prevent Them
http://www.codeproject.com/KB/database/ ... tacks.aspx

Preventing SQL Injection Attacks
http://www.wwwcoder.com/main/parentid/2 ... fault.aspx

Prevent SQL injection by hardening code
http://searchsqlserver.techtarget.com/t ... 66,00.html
  • Nightslyr
  • Proficient
  • Proficient
  • Nightslyr
  • Posts: 283

Post 3+ Months Ago

PolishHurricane wrote:
http://us.php.net/mysql_real_escape_string
and scroll down to "Example #3 A "Best Practice" query", it's not really a BEST BEST practice but it's good enough.

A tip, to instantly secure half of your input, just intval() all integers. That will solve half your problems. You don't have to escape them any other way.

This is probably better to use on your input instead of the clutter of the conditional statement with "if(get_magic_quotes_gpc())":

Code: [ Select ]
 
function SmartRemoveSlashes($value='')
{
//This function removes slashes placed there by PHP so you can do your own string escaping, and attempts to remove them off of arrays, It's pretty reliable though
return (get_magic_quotes_gpc()) ? (is_array($value) ? array_map("stripslashes", $value) : stripslashes($value)) : $value;
}
 
$name = SmartRemoveSlashes($_REQUEST['name']);
 
  1.  
  2. function SmartRemoveSlashes($value='')
  3. {
  4. //This function removes slashes placed there by PHP so you can do your own string escaping, and attempts to remove them off of arrays, It's pretty reliable though
  5. return (get_magic_quotes_gpc()) ? (is_array($value) ? array_map("stripslashes", $value) : stripslashes($value)) : $value;
  6. }
  7.  
  8. $name = SmartRemoveSlashes($_REQUEST['name']);
  9.  


I believe they are entirely removing magic quotes in PHP6 though.


Yes, magic quotes will be removed in PHP 6.

I think that using the mysqli extension is actually more beneficial than relying on mysql_real_escape_string and sprintf as a 'best practice.'

First, you can use mysqli in an object oriented manner out of the box. I can't tell you how many times I've seen other people wrap the standard mysql functions in a wrapper class just to give them an OOP flavor.

Second, it relies on prepared statements for type safety. The 'best practice' example you linked to simulated this with sprintf. Mysqli has this functionality built in.

Finally, it automatically escapes all incoming data. You'll never need to use mysql_real_escape_string again.

I wrote a small test script to illustrate mysqli in action. It inserts entered hyperlinks in a database, then displays those already entered. In a real world example, I'd probably use regular expressions to ensure that a legitimate hyperlink was submitted.

Code: [ Select ]
 
<?php
   require_once("data/config.php5");
 
   $mysqli = new mysqli(HOST, USER, PASSWORD, MYDB);
 
   $form = <<<EOF
<html>
<head>
<title>DB test</title>
</head>
 
<body>
<form action="{$_SERVER['PHP_SELF']}" method="post">
Enter URL: <input type="text" name="url" /><br />
<input type="submit" name="submit" value="submit" />
</form>
 
</body>
</html>
 
EOF;
 
   if(isset($_POST['submit']))
   {
      $url = $_POST['url'];
 
      $query = "INSERT INTO urls (url) VALUE (?)";
 
      $stmt = $mysqli->prepare($query);
      $stmt->bind_param("s", $url);
      $stmt->execute();
      $stmt->close();
 
      $query = "SELECT url from urls";
 
      $stmt = $mysqli->prepare($query);
      $stmt->execute();
      $stmt->bind_result($link);
 
      $resultOutput = "URL's: <br />";
 
      while($stmt->fetch())
      {
         $resultOutput .= "$link <br />";
      }
 
      $stmt->close();
      $resultOutput .= "<br /><br />";
   }
 
   echo $form;
 
   if($resultOutput)
   {
      echo $resultOutput;
   }
 
   $mysqli->close();
?>
  1.  
  2. <?php
  3.    require_once("data/config.php5");
  4.  
  5.    $mysqli = new mysqli(HOST, USER, PASSWORD, MYDB);
  6.  
  7.    $form = <<<EOF
  8. <html>
  9. <head>
  10. <title>DB test</title>
  11. </head>
  12.  
  13. <body>
  14. <form action="{$_SERVER['PHP_SELF']}" method="post">
  15. Enter URL: <input type="text" name="url" /><br />
  16. <input type="submit" name="submit" value="submit" />
  17. </form>
  18.  
  19. </body>
  20. </html>
  21.  
  22. EOF;
  23.  
  24.    if(isset($_POST['submit']))
  25.    {
  26.       $url = $_POST['url'];
  27.  
  28.       $query = "INSERT INTO urls (url) VALUE (?)";
  29.  
  30.       $stmt = $mysqli->prepare($query);
  31.       $stmt->bind_param("s", $url);
  32.       $stmt->execute();
  33.       $stmt->close();
  34.  
  35.       $query = "SELECT url from urls";
  36.  
  37.       $stmt = $mysqli->prepare($query);
  38.       $stmt->execute();
  39.       $stmt->bind_result($link);
  40.  
  41.       $resultOutput = "URL's: <br />";
  42.  
  43.       while($stmt->fetch())
  44.       {
  45.          $resultOutput .= "$link <br />";
  46.       }
  47.  
  48.       $stmt->close();
  49.       $resultOutput .= "<br /><br />";
  50.    }
  51.  
  52.    echo $form;
  53.  
  54.    if($resultOutput)
  55.    {
  56.       echo $resultOutput;
  57.    }
  58.  
  59.    $mysqli->close();
  60. ?>
  • PolishHurricane
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1585

Post 3+ Months Ago

http://us2.php.net/manual/en/mysqli.rea ... string.php
  • Nightslyr
  • Proficient
  • Proficient
  • Nightslyr
  • Posts: 283

Post 3+ Months Ago

PolishHurricane wrote:
http://us2.php.net/manual/en/mysqli.real-escape-string.php


Using prepared statements with mysqli automatically escapes incoming values. The real_escape_string function is there for those who don't want to use prepared statements.

EDIT: See this link: http://dev.mysql.com/tech-resources/art ... ments.html

The first big paragraph in the Why Use Prepared Statements? section discusses this.
  • PolishHurricane
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1585

Post 3+ Months Ago

Nightslyr wrote:
PolishHurricane wrote:
http://us2.php.net/manual/en/mysqli.real-escape-string.php


Using prepared statements with mysqli automatically escapes incoming values. The real_escape_string function is there for those who don't want to use prepared statements.

EDIT: See this link: http://dev.mysql.com/tech-resources/art ... ments.html

The first big paragraph in the Why Use Prepared Statements? section discusses this.


I know this, I'm not the one asking questions...
  • bastones
  • Novice
  • Novice
  • bastones
  • Posts: 19

Post 3+ Months Ago

Instead of people giving you advice that you won't even grasp from day one, you simply use that function enclosing the $_POST['name'] superglobal. For example, if you have a textfield: <input type="text" name="name" /> you'd do the following:

Code: [ Select ]
<?php
$message=mysql_real_escape_string($_POST['name']);
$query=mysql_query("SELECT.."); // etc
?>
  1. <?php
  2. $message=mysql_real_escape_string($_POST['name']);
  3. $query=mysql_query("SELECT.."); // etc
  4. ?>


...this would add slashes to quotations such as \' and \" which prevents SQL comments (just like // PHP comments) from going through the MySQL query.

Post Information

  • Total Posts in this topic: 8 posts
  • Users browsing this forum: No registered users and 8 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.