FRIHOSTFORUMSFAQTOSBLOGSDIRECTORY
You are invited to Log in or Register a Frihost Account!

protecting mysql databases from sql injection attacks

   Frihost Forum Index -> Scripting -> Php and MySQL
 


siena
Hello everyone....

I've been thinking about protecting mysql databases from sql injection attacks by validating form inputs using regular expressions or anything else.
Has anyone got any example of how a norty person might perform a sql injection attack so i can protect my scripts?
Rhysige
Well for starters if you use hidden values on your form and dont check they come from $_POST then people can tack the values on in the adress with ?value=4 or whatever they want to change it to.
As for actual SQL injection the best way to protect it to put $value_to_go_in_db = mysql_real_escape_string($user_input);
This gets rid of any ' or other characters which will stuff with the queries.
siena
Rhysige wrote:
Well for starters if you use hidden values on your form and dont check they come from $_POST then people can tack the values on in the adress with ?value=4 or whatever they want to change it to.
As for actual SQL injection the best way to protect it to put $value_to_go_in_db = mysql_real_escape_string($user_input);
This gets rid of any ' or other characters which will stuff with the queries.


can you explain what you say... maybe with example
mathiaus
see this page for an explanation and examples Smile
http://uk.php.net/mysql_real_escape_string

Also make sure the method in all your forms is post not get and all your vars are set correctly ( $var = $_POST['var']; )

Any other validation should really only be for making sure it fits its purpose ie. all required form fields are filled, email has @ symbol etc
Ducksteina
For example, this could be a log-in-system:

Code:
$mysql = "SELECT * from user WHERE username='$username' AND password='$password'";


If the user just enters his name and password, everything will be alright. The query would look like:

Code:
$username = 'Hans';
$password = 'test';

$mysql = "SELECT * from user WHERE username='Hans' AND password='test'";


But there's a way to get access even if the password doesn't match the username.

Code:
$username = 'Hans';
$passwort = "' OR '1'='1";

$mysql = "SELECT * from user WHERE username='Hans' AND password='' OR '1'='1'";


'1'='1' is always true -> MysqlData is displayed even with no password!
siena
can you tell me...what can I do now..?
thank for your comment
Rhysige
Using the example similar to above you would do this

The user inputs Hans as their name and test as their password.
Since you should encrypt any password you do not need to escape the password string.
Code:

$username = $_POST['username']; //this says to get from your form
$password = $_POST['password'];

$username = mysql_real_escape_string($username); //here we secure the string

$password = md5($password);

$mysql = "SELECT * from `users` WHERE `username`='$username' AND `password`='$password'";
siena
Rhysige wrote:
Using the example similar to above you would do this

The user inputs Hans as their name and test as their password.
Since you should encrypt any password you do not need to escape the password string.
Code:

$username = $_POST['username']; //this says to get from your form
$password = $_POST['password'];

$username = mysql_real_escape_string($username); //here we secure the string

$password = md5($password);

$mysql = "SELECT * from `users` WHERE `username`='$username' AND `password`='$password'";


I will try your script....
thank for your post...
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2007 Frihost, forums powered by phpBB.