Comments on: PHP Security and SQL Injection? http://phparmor.com/php-source-code/php-security-and-sql-injection/ php source code protection Wed, 08 Sep 2010 08:05:11 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: shabbirbhimani http://phparmor.com/php-source-code/php-security-and-sql-injection/comment-page-1/#comment-3911 shabbirbhimani Sat, 20 Mar 2010 17:07:58 +0000 http://phparmor.com/php-source-code/php-security-and-sql-injection/#comment-3911 Before going into the details of preventing the SQL you should know how the hackers go about injecting the SQL and take the data / table name out without knowing much about your database schema and I found this wonderful article about it http://www.go4expert.com/forums/showthread.php?t=11841 It shows you how you can get almost every aspect of data from the database and knowing this helps you protect yourself. I have been checking out my other sites now. Thanks Shabbir http://www.go4expert.com/ Before going into the details of preventing the SQL you should know how the hackers go about injecting the SQL and take the data / table name out without knowing much about your database schema and I found this wonderful article about it

http://www.go4expert.com/forums/showthread.php?t=11841

It shows you how you can get almost every aspect of data from the database and knowing this helps you protect yourself. I have been checking out my other sites now.

Thanks
Shabbir

http://www.go4expert.com/

Report this comment

]]> By: coffeeaddict_uk http://phparmor.com/php-source-code/php-security-and-sql-injection/comment-page-1/#comment-3910 coffeeaddict_uk Sat, 20 Mar 2010 16:11:18 +0000 http://phparmor.com/php-source-code/php-security-and-sql-injection/#comment-3910 What Greigmcl said is right..but just to add, you should 'idiot proof' your scripts by validating ANY user input data you recieve BEFORE you put it into a query. If the data is a number, use is_numeric() function on it to check it. If it isnt, then reject it. If a string is only supposed to have certain characters in, check it only contains those characters using preg_match() or preg_match_all(). http://uk3.php.net/mysql_real_escape_string What Greigmcl said is right..but just to add, you should ‘idiot proof’ your scripts by validating ANY user input data you recieve BEFORE you put it into a query. If the data is a number, use is_numeric() function on it to check it. If it isnt, then reject it.
If a string is only supposed to have certain characters in, check it only contains those characters using preg_match() or preg_match_all().

http://uk3.php.net/mysql_real_escape_string

Report this comment

]]> By: greigmcl http://phparmor.com/php-source-code/php-security-and-sql-injection/comment-page-1/#comment-3909 greigmcl Sat, 20 Mar 2010 15:06:16 +0000 http://phparmor.com/php-source-code/php-security-and-sql-injection/#comment-3909 SQL injection attacks have two objectives. The first is to terminate your sql query and run its own query and the second is to twist you query to give the attacker what he wants. The length of the field being queried/updated is irrelevant, a varchar(10) doesn't give you only 10 characters to attack in because I can rewrite your form in a couple of minutes and once I close out your query I can put in whatever I want. Generally what you need to do is prevent the user from ending your query or messing with it in some way and the function mysql_real_escape_string() was designed to do that. The function's page also has some notes on sql injection and safeguarding queries. http://uk3.php.net/mysql_real_escape_string SQL injection attacks have two objectives. The first is to terminate your sql query and run its own query and the second is to twist you query to give the attacker what he wants. The length of the field being queried/updated is irrelevant, a varchar(10) doesn’t give you only 10 characters to attack in because I can rewrite your form in a couple of minutes and once I close out your query I can put in whatever I want.

Generally what you need to do is prevent the user from ending your query or messing with it in some way and the function mysql_real_escape_string() was designed to do that. The function’s page also has some notes on sql injection and safeguarding queries.

http://uk3.php.net/mysql_real_escape_string

Report this comment

]]> By: drewangell http://phparmor.com/php-source-code/php-security-and-sql-injection/comment-page-1/#comment-3908 drewangell Sat, 20 Mar 2010 14:05:20 +0000 http://phparmor.com/php-source-code/php-security-and-sql-injection/#comment-3908 If you're using Dreamweaver and its tools to connect to your DB it takes care of correctly writing the code to avoid SQL injection. If not, read up http://us2.php.net/security.database.sql-injection My Mind (the Bible) If you’re using Dreamweaver and its tools to connect to your DB it takes care of correctly writing the code to avoid SQL injection.

If not, read up http://us2.php.net/security.database.sql-injection

My Mind (the Bible)

Report this comment

]]> By: just "JR" http://phparmor.com/php-source-code/php-security-and-sql-injection/comment-page-1/#comment-3907 just "JR" Sat, 20 Mar 2010 13:07:41 +0000 http://phparmor.com/php-source-code/php-security-and-sql-injection/#comment-3907 Any field that a user fills on a form that you process to a database CAN include vicious piece of code. To avoid this, you have to check data before inserting (or updating) your tables. Say you have a field "Address" (usually long), set as a "varchar" (100): that 100 characters can be a command! Worse: fields defined as "TEXT". - Before inserting/updating, check these string queries for malicious code, commands etc (words like "insert", "delete", "select", "create", file extensions such as "asm","exe"), or non-texts (ie characters below 0x1F) and reject if you find one. However, don't be too paranoid: if your site is decent, so will be your visitors. Just make an automatic DB backup daily. My Mind (the Bible) Any field that a user fills on a form that you process to a database CAN include vicious piece of code.
To avoid this, you have to check data before inserting (or updating) your tables.
Say you have a field “Address” (usually long), set as a “varchar” (100): that 100 characters can be a command!
Worse: fields defined as “TEXT”.
- Before inserting/updating, check these string queries for malicious code, commands etc (words like “insert”, “delete”, “select”, “create”, file extensions such as “asm”,”exe”), or non-texts (ie characters below 0x1F) and reject if you find one.
However, don’t be too paranoid: if your site is decent, so will be your visitors.
Just make an automatic DB backup daily.

My Mind (the Bible)

Report this comment

]]>