FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


SQL Injection





speeDemon
So... I've been doing some research with regard to SQL and all there is to it. Actually in my school as a part of the course we have to study SQL as well, so I thought about spicing up things a bit and trying to learn about vulnerabilities ans how to save myself from them.. as well as to know what sort of things people can do by attacking your website.

I'm looking forward to get some input from you guys, and in case you have some good websites or ebooks in mind, then please do tell me!
saberlivre
Visit the SQL injection page in wikipedia

http://en.wikipedia.org/wiki/SQL_injection
Fire Boar
I recently found this article and thought it was very good at explaining how a hacker might take advantage of invalid data input. Definitely worth a read.
Josso
Another article here. Good site in general by the way.
pirate
lol SQL injection is easy to do, and fairly easy to protect against
IndirParadise
to protect your Page use "mysql_real_escape_string": HIER

Code:
string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )


SQL injection is easy to do, but very destructive.
Fire Boar
IndirParadise wrote:
to protect your Page use "mysql_real_escape_string": HIER

Code:
string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )


SQL injection is easy to do, but very destructive.


Don't be complacent. The following PHP code is quite vulnerable to SQL injection.

Code:
$friends = mysql_real_escape_string($_GET['min_friends']);
$result = mysql_query("SELECT * FROM users WHERE num_friends >= $friends");


Honestly, the best way of avoiding SQL injection and a step towards writing better code is using the PDO PHP library, which comes standard in PHP 5.1 or higher, and is integrated with PHP by 5.3. If you're using one of these versions, there's really no excuse not to use PDO over mysql_* functions.

The idea is to use prepared statements when any of the data is unknown. You'd prepare a generic statement with placeholders for all user input data, then execute it with the input data as arguments. PDO will then properly escape everything, and the code looks that much neater. Plus, if you need to execute the same query again but with different parameters, you can often take advantage of some advanced database optimization features, with no additional effort. See PDO::prepare on php.net for some examples of using prepared statements.
codersfriend
just enable the magic quotes on your php.ini to avoid insertion of quotes on forms Very Happy

it automatically converts ' into \'
codersfriend
just enable the magic quotes on your php.ini to avoid insertion of quotes on forms Very Happy

it automatically converts ' into \'
Fire Boar
codersfriend wrote:
just enable the magic quotes on your php.ini to avoid insertion of quotes on forms Very Happy

it automatically converts ' into \'


Nope. That's worse than a manual mysql_real_escape_string - you have no control. Also, my query example is vulnerable to injection even with magic quotes enabled.
adsmail27
example:
User: hack' OR 1=1 --
Pass = none

then

SELECT * FROM users WHERE username='$user' AND password='$pass'
SELECT * FROM users WHERE username='hack' OR 1=1 --' AND password='none'
Fire Boar
adsmail27 wrote:
example:
User: hack' OR 1=1 --
Pass = none

then

SELECT * FROM users WHERE username='$user' AND password='$pass'
SELECT * FROM users WHERE username='hack' OR 1=1 --' AND password='none'


This is one of the types of injection that mysql_real_escape_string does protect against.

In my example above however, an apostrophe isn't needed for the injection: a number is expected as input, so if $_GET['min_friends'] == "1; DROP TABLE users; --" - there are no quotes or "unsafe characters" at all, so mysql_real_escape_string leaves the input untouched.
Navigator
How about using a db abstraction layer instead of using the raw php functions? Maybe through a framework, which in most cases, already have a sort of protection against this issue.
softwarefreak
Wow,thanks for the info guys Smile
Related topics
PHP Validation Class
How To : Secure Your PHP Website
postgreSQL
PHPBB Eklentileri
Where and how can i learn how to hack?
Best way to prevent SQL injection attacks
[man] phpBB 2.0.19 (Style Changer/Demo Mod) SQL Injection
protecting mysql databases from sql injection attacks
Hacked by someone sql Injection
how to use sql injection to retrive a column name ?
SQL Injection
mod_security reports WordPress as SQL injection attack!
Can you improve my sql injection detection
Is this a sign that my website can be SQL injected?
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.