Re: MySql injections....

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Don't forget your native database escaping function.  PHP has this one for MySQL, for example:

mysql_real_escape_string()

That should properly escape everything that could be used against MySQL to perform an injection.

There should be some equivalent commend in the various database connection routines and abstraction layers.   Takes some of the work out of trying to properly escape everything manually.

-TG

= = = Original message = = =

it depends

by having register_globals set to on (server config) it is usually easier to create 
sql-injection exploit, but it is not required. What is true is that well written script 
will defend/sustain such attacks regardles how server is configured 
(unless configuration is really f*cked up).

Prevention is simply trying to follow few simple rules:

1. SQL statemens that have no PHP variables are NOT vulnerable:
$sql = 'SELECT value FROM values WHERE key = 123';
$db->query($sql);
(nothing vulnerable here)



2. If you do not check what you are putting into SQL statements via 
~PHP variables - add slashes and put it in quotes:
($key = 123;) - you get this from some kind of form or URI

$key_as = addslashes($key); // you should check if slashes were already added by php (magic_quotes)
$sql = "SELECT value FROM values WHERE key = '$key'";
$db->query($sql);



3. If you do not put your variable into quotes - check it!
if (!preg_match('/^[0-9]+/', $key)) 
~echo "Hack attempt!"; exit;

$sql = "SELECT value FROM values WHERE key = $key";
$db->query($sql);

(if you will not check it anything can get into your sql statement)


4. All the above assumes you have already assessed potential remote file inclusion vulnerabilities.


Regards,
Bostjan



On Wednesday 11 May 2005 14:15, virtualsoftware@xxxxxxxxx wrote:
> I have a site and the other days i received a message from a guy that told
> me my site is vulnerable to mysql injections. I do not know how can i
> prevent this. The server is not configured or it's all about the script?
>
>
> ----- Original Message -----
> From: "Bostjan Skufca @ domenca.com" <bostjan.skufca@xxxxxxxxxxx>
> To: <php-general@xxxxxxxxxxxxx>
> Sent: Wednesday, May 11, 2005 1:50 PM
> Subject: Re:  MySql injections....
>
> > Probably you mean about "prevening mysql injections" - or not? :)
> >
> > Bostjan
> >
> > On Wednesday 11 May 2005 11:38, virtualsoftware@xxxxxxxxx wrote:
> >> Hi,
> >> This is not the proper list to put this question but i hope you can help
> >> me. Does anyone know a good tutorial about mysql injections?
> >>
> >> Thanks a lot for your help
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


___________________________________________________________
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux