FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


testing submitted data for SQL injection attacks





lightworker88
Does anyone know where to get the source code for the validation functions called here in "test_input"? It is used to test data for the purpose of dealing with SQL injection attacks. For instance the single quote character has meaning within an SQL statement yet is used for contractions and as a possessive indicator. Apparently, a backslash is added before it in some functions, but htmlspecialchars converts it to "&#039"? So does "&" have any meaning in an SQL statement?

Code:
<?php
function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  $data = mysql_real_escape_string($data);
  $data = escapeshellcmd($data);
  return $data;
}
?>


The first 3 are from http://www.w3schools.com/php/php_form_validation.asp, about halfway down the page. I kept the same function name, so you can do a word search for it.

A number of sources suggest mysql_real_escape_string() or mysqli_real_escape_string().

I get escapeshellcmd() from http://php.net/manual/en/function.escapeshellcmd.php. If I can determine definitively that shell commands cannot be called from user inputs then I would not use it, but I want to confirm this eight ways form Sunday.
jajarvin
Nice job!
The command escapeshellcmd is new to me.

Here is of it's use Example #1 escapeshellcmd() example

Code:

<?php
// We allow arbitrary number of arguments intentionally here.
$command = './configure '.$_POST['configure_options'];

$escaped_command = escapeshellcmd($command);
 
system($escaped_command);
?>



And an warning for the user of this escapeshellcmd command:
http://php.net/manual/en/function.escapeshellcmd.php wrote:
escapeshellcmd() should be used on the whole command string, and it still allows the attacker to pass arbitrary number of arguments. For escaping a single argument escapeshellarg() should be used instead.
jmraker
For SQL injection attack detection I'd use this on every $_GET and $_POST value, it returns true if the string $str looks like it contains a dangerous SQL statement.

Also, it's a good idea to log every mysql_query error into a log file or database table that contains
. The statement it tried to execute
. The mysql_error value
. The current time
. The IP number of the remote user
. The program name
. The debug_trace formatted as a string
. The $_GET and $_POST values passed
That way you'll be aware of database problems and be able to figure out where SQL injection attacks are a problem and how to fix it and verify that it is fixed.

Code:
function injectionTest($str){
   if(is_array($str)){
      foreach($str as $str2){
         if(injectionTest($str2))
            return true;
      }
      return false;
   }
   if(strpos($str, ';') !== false){
      $fnds[] = '/;\s*?drop(\s+?|\s+?online\s+?|\s+?offline\s+?)index\s/i';
      $fnds[] = '/;\s*?drop(\s+?|\s+?temporary\s+?)table\s/i';
      $fnds[] = '/;\s*?drop\s+(database|schema|event|function|procedure|logfile|server|tablespace|trigger|view)\s/i';
      $fnds[] = '/;\s*?select.*?(from|into)\s/i';
      $fnds[] = '/;\s*?select.*?load_file(.*?)/i';
      $fnds[] = '/;\s*?update\s+?set\s/i';
      $fnds[] = '/;\s*?update.*?load_file/i';
      $fnds[] = '/;\s*?replace.*?(values|value|set|select)\s/i';
      $fnds[] = '/;\s*?delete.*?from\s/i';
      $fnds[] = '/;\s*?insert.*?into.*?(set|values|value|select)\s/i';
      $fnds[] = '/;\s*?alter\s+(database|schema|logfile|function|procedure|server|tablespace)\s/i';
      $fnds[] = '/;\s*?alter(\s+|\s+definer.*?)event\s/i';
      $fnds[] = '/;\s*?alter(\s+|\s+online\s+|\s+offline\s+|)(\s?|\s?ignore\s+|)table\s/i';
      $fnds[] = '/;\s*?alter.*?view\s/i';
      $fnds[] = '/;\s*?rename\s+(table|database|schema)\s/i';
      $fnds[] = '/;\s*?create\s+(database|schema|logfile|server)\s/i';
      $fnds[] = '/;\s*?create(\s+|\s+AGGREGATE\s+)function\s/i';
      $fnds[] = '/;\s*?create(\s+|\s+temporary\s+|\s+definer.*?)(event|procedure|table|trigger)\s/i';
      $fnds[] = '/;\s*?create(\s+|\s+online\s+|\s+offline\s+|)(\s?|\s?unique\s+|\s?fulltext\s+|\s?spatial\s+|)index\s/i';
      foreach($fnds as $fnd){
            if(preg_match($fnd, $str, $arr))
               return true;
      }
   }
   return false;
}


Code:
if(injectionTest($_GET))
   $ret = true;
if($this->injectionTest($_POST))
   $ret = true;
jajarvin
I find nice rules for prevention of XSS



Code:
 2 XSS Prevention Rules
        2.1 RULE #0 - Never Insert Untrusted Data Except in Allowed Locations
        2.2 RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content
        2.3 RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
        2.4 RULE #3 - JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values
            2.4.1 RULE #3.1 - HTML escape JSON values in an HTML context and read the data with JSON.parse
                2.4.1.1 JSON entity encoding
                2.4.1.2 HTML entity encoding
        2.5 RULE #4 - CSS Escape And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values
        2.6 RULE #5 - URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values
        2.7 RULE #6 - Sanitize HTML Markup with a Library Designed for the Job
        2.8 RULE #7 - Prevent DOM-based XSS
        2.9 Bonus Rule #1: Use HTTPOnly cookie flag
        2.10 Bonus Rule #2: Implement Content Security Policy
Related topics
Best way to prevent SQL injection attacks
[man] phpBB 2.0.19 (Style Changer/Demo Mod) SQL Injection
mysql_real_escape_string question
protecting mysql databases from sql injection attacks
Logging in a php game
what is a simple good CMS?
Hacked by someone sql Injection
how to use sql injection to retrive a column name ?
What happened to Perl?
>.<!! 500 internal server error and things I can't exp
cdpuvbhfzz.com
mod_security reports WordPress as SQL injection attack!
I have been very bad! oh no!
Can you improve my sql injection detection
Is this a sign that my website can be SQL injected?
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.