sql injections

kit
Born
Joined: Oct 18, 2008
Posts: 1
Loc: South Africa
Status: Offline

October 18th, 2008, 12:19 pm

Hey,
I am new to MySql and I was wondering how to prevent sql attacks. Would mysql_real_escape_string help? If so, where exactly should I insert it into a script?

Sorry if this question sounds silly, but I’m really new to this.

Anonymous
Bot
- www.ozzu.com
Joined: 25 Feb 2008
Posts: ?
Loc: Ozzuland
Status: Online

October 18th, 2008, 12:19 pm

PolishHurricane
Mastermind
Joined: Feb 17, 2005
Posts: 1585
Status: Offline

October 18th, 2008, 12:48 pm

http://us.php.net/mysql_real_escape_string
and scroll down to "Example #3 A "Best Practice" query", it's not really a BEST BEST practice but it's good enough.

A tip, to instantly secure half of your input, just intval() all integers. That will solve half your problems. You don't have to escape them any other way.

This is probably better to use on your input instead of the clutter of the conditional statement with "if(get_magic_quotes_gpc())":

Code: [ Select ]

function SmartRemoveSlashes($value='')
{
//This function removes slashes placed there by PHP so you can do your own string escaping, and attempts to remove them off of arrays, It's pretty reliable though
return (get_magic_quotes_gpc()) ? (is_array($value) ? array_map("stripslashes", $value) : stripslashes($value)) : $value;
}

$name = SmartRemoveSlashes($_REQUEST['name']);

function SmartRemoveSlashes($value='')
{
//This function removes slashes placed there by PHP so you can do your own string escaping, and attempts to remove them off of arrays, It's pretty reliable though
return (get_magic_quotes_gpc()) ? (is_array($value) ? array_map("stripslashes", $value) : stripslashes($value)) : $value;
}
$name = SmartRemoveSlashes($_REQUEST['name']);

I believe they are entirely removing magic quotes in PHP6 though.

There's no place like 127.0.0.1, badass part is now it's ::1

moniqu
Novice
Joined: Oct 23, 2008
Posts: 32
Status: Offline

October 25th, 2008, 5:59 am

Here's a whitepaper about SQL injections
http://www.securiteam.com/securityrevie ... 1P76E.html

and some more papers:

SQL Injection Attacks and Some Tips on How to Prevent Them
http://www.codeproject.com/KB/database/ ... tacks.aspx

Preventing SQL Injection Attacks
http://www.wwwcoder.com/main/parentid/2 ... fault.aspx

Prevent SQL injection by hardening code
http://searchsqlserver.techtarget.com/t ... 66,00.html

Nightslyr
Proficient
Joined: Sep 21, 2005
Posts: 274
Status: Offline

October 29th, 2008, 11:04 am

PolishHurricane wrote:

Code: [ Select ]

function SmartRemoveSlashes($value='')
{
//This function removes slashes placed there by PHP so you can do your own string escaping, and attempts to remove them off of arrays, It's pretty reliable though
return (get_magic_quotes_gpc()) ? (is_array($value) ? array_map("stripslashes", $value) : stripslashes($value)) : $value;
}
$name = SmartRemoveSlashes($_REQUEST['name']);

I believe they are entirely removing magic quotes in PHP6 though.

Yes, magic quotes will be removed in PHP 6.

I think that using the mysqli extension is actually more beneficial than relying on mysql_real_escape_string and sprintf as a 'best practice.'

First, you can use mysqli in an object oriented manner out of the box. I can't tell you how many times I've seen other people wrap the standard mysql functions in a wrapper class just to give them an OOP flavor.

Second, it relies on prepared statements for type safety. The 'best practice' example you linked to simulated this with sprintf. Mysqli has this functionality built in.

Finally, it automatically escapes all incoming data. You'll never need to use mysql_real_escape_string again.

I wrote a small test script to illustrate mysqli in action. It inserts entered hyperlinks in a database, then displays those already entered. In a real world example, I'd probably use regular expressions to ensure that a legitimate hyperlink was submitted.

Code: [ Select ]

<?php
require_once("data/config.php5");

$mysqli = new mysqli(HOST, USER, PASSWORD, MYDB);

$form = <<<EOF
<html>
<head>
<title>DB test</title>
</head>

<body>
<form action="{$_SERVER['PHP_SELF']}" method="post">
Enter URL: <input type="text" name="url" /><br />
<input type="submit" name="submit" value="submit" />
</form>

</body>
</html>

EOF;

if(isset($_POST['submit']))
{
$url = $_POST['url'];

$query = "INSERT INTO urls (url) VALUE (?)";

$stmt = $mysqli->prepare($query);
$stmt->bind_param("s", $url);
$stmt->execute();
$stmt->close();

$query = "SELECT url from urls";

$stmt = $mysqli->prepare($query);
$stmt->execute();
$stmt->bind_result($link);

$resultOutput = "URL's: <br />";

while($stmt->fetch())
{
$resultOutput .= "$link <br />";
}

$stmt->close();
$resultOutput .= "<br /><br />";
}

echo $form;

if($resultOutput)
{
echo $resultOutput;
}

$mysqli->close();
?>

<?php
require_once("data/config.php5");
$mysqli = new mysqli(HOST, USER, PASSWORD, MYDB);
$form = <<<EOF
<html>
<head>
<title>DB test</title>
</head>
<body>
<form action="{$_SERVER['PHP_SELF']}" method="post">
Enter URL: <input type="text" name="url" /><br />
<input type="submit" name="submit" value="submit" />
</form>
</body>
</html>
EOF;
if(isset($_POST['submit']))
{
$url = $_POST['url'];
$query = "INSERT INTO urls (url) VALUE (?)";
$stmt = $mysqli->prepare($query);
$stmt->bind_param("s", $url);
$stmt->execute();
$stmt->close();
$query = "SELECT url from urls";
$stmt = $mysqli->prepare($query);
$stmt->execute();
$stmt->bind_result($link);
$resultOutput = "URL's: <br />";
while($stmt->fetch())
{
$resultOutput .= "$link <br />";
}
$stmt->close();
$resultOutput .= "<br /><br />";
}
echo $form;
if($resultOutput)
{
echo $resultOutput;
}
$mysqli->close();
?>

PolishHurricane
Mastermind
Joined: Feb 17, 2005
Posts: 1585
Status: Offline

October 29th, 2008, 3:12 pm

http://us2.php.net/manual/en/mysqli.rea ... string.php

There's no place like 127.0.0.1, badass part is now it's ::1

Nightslyr
Proficient
Joined: Sep 21, 2005
Posts: 274
Status: Offline

October 30th, 2008, 8:35 am

PolishHurricane wrote:

http://us2.php.net/manual/en/mysqli.real-escape-string.php

Using prepared statements with mysqli automatically escapes incoming values. The real_escape_string function is there for those who don't want to use prepared statements.

EDIT: See this link: http://dev.mysql.com/tech-resources/art ... ments.html

The first big paragraph in the Why Use Prepared Statements? section discusses this.

PolishHurricane
Mastermind
Joined: Feb 17, 2005
Posts: 1585
Status: Offline

October 31st, 2008, 11:43 am

Nightslyr wrote:

PolishHurricane wrote:

http://us2.php.net/manual/en/mysqli.real-escape-string.php

I know this, I'm not the one asking questions...

There's no place like 127.0.0.1, badass part is now it's ::1

bastones
Novice
Joined: Nov 02, 2008
Posts: 19
Status: Offline

November 2nd, 2008, 6:54 am

Instead of people giving you advice that you won't even grasp from day one, you simply use that function enclosing the $_POST['name'] superglobal. For example, if you have a textfield: <input type="text" name="name" /> you'd do the following:

Code: [ Select ]

<?php
$message=mysql_real_escape_string($_POST['name']);
$query=mysql_query("SELECT.."); // etc
?>

<?php
$message=mysql_real_escape_string($_POST['name']);
$query=mysql_query("SELECT.."); // etc
?>

...this would add slashes to quotations such as \' and \" which prevents SQL comments (just like // PHP comments) from going through the MySQL query.

Page 1 of 1

To Reply to this topic you need to LOGIN or REGISTER. It is free.

Post Information

Total Posts in this topic: 8 posts
Users browsing this forum: No registered users and 3 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

sql injections

Post Information

Sponsored Links

Other Languages

Website Development

Graphics

OS & Hardware

Internet Marketing

Marketplace

Community Area

Ozzu Maintenance

Forum Network

Forum Partners

Other Information