FRIHOSTFORUMSFAQTOSBLOGSDIRECTORY
You are invited to Log in or Register a Frihost Account!

Hacked by someone sql Injection

   Frihost Forum Index -> Scripting -> Php and MySQL
 


phicha
Someone told me that he had hack my script already using sql injection,
i wonder how to repair this thing,


myscript is like this below.
Code:
      

echo $_GET["whisperid"]."<br>";
      $string="select * from data  where  nomor='".mysql_real_escape_string($_GET["whisperid"])."'";
      echo $string;
      $query = mysql_query($string,$dbz) or die("my_sql error()");


he hacked by adding in URL like this

/engine.php?progess=whspop&whisperid=20%20OR%201=1

the addition is this
%20OR%201=1

i am somehow suggest him don;t know my sql structure, or i will be in trouble already.

if i change a bit to like this

/engine.php?progess=whspop&whisperid=20%20OR%20whisperid=50

then he will got the number 50 already not only 20 but he can get all number.

is there a way to secure this thing ?


thanks,
RT Cunningham
I suggest you Google for "mysql injection". You'll find numerous articles on how to make sure your query strings are safe.

One piece of advice. Validate your query strings before using them so that injection can never occur. An example is that if your query expects a number, make sure you check for a number... and so on.
phicha
is there other way where using a simple function other than mysql_real_escape_string to prevent this thing ?
i am so confused right now, i hope can solve this thing immediately.
hexkid
phicha wrote:
myscript is like this below.
Code:
      

echo $_GET["whisperid"]."<br>";
      $string="select * from data  where  nomor='".mysql_real_escape_string($_GET["whisperid"])."'";
      echo $string;
      $query = mysql_query($string,$dbz) or die("my_sql error()");


What's the output of the `echo $string;`?

What's the datatype of the `nomor` column?
If it's text, you're doing it right.

If it's numeric, I'd convert $_GET['whisperid'] to a number inside PHP, before sending the query to SQL. Also, the query wouldn't have the single quotes delimiting the number.
Code:
<?php
// $whisperid = (double)$_GET['whisperid'];
$whisperid = (int)$_GET['whisperid'];

#####################
### (int)('10 or 20') is 10
### (int)('string_without_digits') is 0
### (double)('10.95 or 20') is 10.95
### (int)('10.95 or 20') is 10

$string = "select * from data where nomor=$whisperid";
?>
phicha
hexkid wrote:
phicha wrote:
myscript is like this below.
Code:
      

echo $_GET["whisperid"]."<br>";
      $string="select * from data  where  nomor='".mysql_real_escape_string($_GET["whisperid"])."'";
      echo $string;
      $query = mysql_query($string,$dbz) or die("my_sql error()");


What's the output of the `echo $string;`?

What's the datatype of the `nomor` column?
If it's text, you're doing it right.

If it's numeric, I'd convert $_GET['whisperid'] to a number inside PHP, before sending the query to SQL. Also, the query wouldn't have the single quotes delimiting the number.
Code:
<?php
// $whisperid = (double)$_GET['whisperid'];
$whisperid = (int)$_GET['whisperid'];

#####################
### (int)('10 or 20') is 10
### (int)('string_without_digits') is 0
### (double)('10.95 or 20') is 10.95
### (int)('10.95 or 20') is 10

$string = "select * from data where nomor=$whisperid";
?>



thanks, it's very helped me. i dont know why
the string output become like this

Code:
select * from data where nomor=25 or 1=1


but i convert the input become integer already thanks a lot ! Very Happy
JBotAlan
I'm not sure if your problem was solved, but I learned something from this--I had to look up what MySQL Injection was, and I learned about it.

http://www.netlobo.com/preventing_mysql_injection.html

That site explains it. Since I've been tinkering with MySQL for about 2-3 weeks now, I understand how serious MySQL injection could be and I will make sure to watch out for it in the future.

JBot
phicha
Thanks for the link,
it helped me very much.
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2007 Frihost, forums powered by phpBB.