FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Hacked by someone sql Injection





phicha
Someone told me that he had hack my script already using sql injection,
i wonder how to repair this thing,


myscript is like this below.
Code:
      

echo $_GET["whisperid"]."<br>";
      $string="select * from data  where  nomor='".mysql_real_escape_string($_GET["whisperid"])."'";
      echo $string;
      $query = mysql_query($string,$dbz) or die("my_sql error()");


he hacked by adding in URL like this

/engine.php?progess=whspop&whisperid=20%20OR%201=1

the addition is this
%20OR%201=1

i am somehow suggest him don;t know my sql structure, or i will be in trouble already.

if i change a bit to like this

/engine.php?progess=whspop&whisperid=20%20OR%20whisperid=50

then he will got the number 50 already not only 20 but he can get all number.

is there a way to secure this thing ?


thanks,
RT Cunningham
I suggest you Google for "mysql injection". You'll find numerous articles on how to make sure your query strings are safe.

One piece of advice. Validate your query strings before using them so that injection can never occur. An example is that if your query expects a number, make sure you check for a number... and so on.
phicha
is there other way where using a simple function other than mysql_real_escape_string to prevent this thing ?
i am so confused right now, i hope can solve this thing immediately.
hexkid
phicha wrote:
myscript is like this below.
Code:
      

echo $_GET["whisperid"]."<br>";
      $string="select * from data  where  nomor='".mysql_real_escape_string($_GET["whisperid"])."'";
      echo $string;
      $query = mysql_query($string,$dbz) or die("my_sql error()");


What's the output of the `echo $string;`?

What's the datatype of the `nomor` column?
If it's text, you're doing it right.

If it's numeric, I'd convert $_GET['whisperid'] to a number inside PHP, before sending the query to SQL. Also, the query wouldn't have the single quotes delimiting the number.
Code:
<?php
// $whisperid = (double)$_GET['whisperid'];
$whisperid = (int)$_GET['whisperid'];

#####################
### (int)('10 or 20') is 10
### (int)('string_without_digits') is 0
### (double)('10.95 or 20') is 10.95
### (int)('10.95 or 20') is 10

$string = "select * from data where nomor=$whisperid";
?>
phicha
hexkid wrote:
phicha wrote:
myscript is like this below.
Code:
      

echo $_GET["whisperid"]."<br>";
      $string="select * from data  where  nomor='".mysql_real_escape_string($_GET["whisperid"])."'";
      echo $string;
      $query = mysql_query($string,$dbz) or die("my_sql error()");


What's the output of the `echo $string;`?

What's the datatype of the `nomor` column?
If it's text, you're doing it right.

If it's numeric, I'd convert $_GET['whisperid'] to a number inside PHP, before sending the query to SQL. Also, the query wouldn't have the single quotes delimiting the number.
Code:
<?php
// $whisperid = (double)$_GET['whisperid'];
$whisperid = (int)$_GET['whisperid'];

#####################
### (int)('10 or 20') is 10
### (int)('string_without_digits') is 0
### (double)('10.95 or 20') is 10.95
### (int)('10.95 or 20') is 10

$string = "select * from data where nomor=$whisperid";
?>



thanks, it's very helped me. i dont know why
the string output become like this

Code:
select * from data where nomor=25 or 1=1


but i convert the input become integer already thanks a lot ! Very Happy
JBotAlan
I'm not sure if your problem was solved, but I learned something from this--I had to look up what MySQL Injection was, and I learned about it.

http://www.netlobo.com/preventing_mysql_injection.html

That site explains it. Since I've been tinkering with MySQL for about 2-3 weeks now, I understand how serious MySQL injection could be and I will make sure to watch out for it in the future.

JBot
phicha
Thanks for the link,
it helped me very much.
Related topics
how to use sql injection to retrive a column name ?
Can you improve my sql injection detection
Best way to prevent SQL injection attacks
[man] phpBB 2.0.19 (Style Changer/Demo Mod) SQL Injection
protecting mysql databases from sql injection attacks
mod_security reports WordPress as SQL injection attack!
Have you been hacked or do you like to hack?
How To : Secure Your PHP Website
postgreSQL
mysql_real_escape_string question
Web security testing
PHPBB help needed
What happened to Perl?
Need a programmer which can help with site security
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.