PHP and MySQL injections
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: PHP and MySQL injections

  1. #1
    Senior Member Godsrock37's Avatar
    Join Date
    Jan 2005
    Location
    PA
    Posts
    121

    PHP and MySQL injections

    so this topic gets hit a lot on the web, but i need a real quick easy, boiled down version of what i need to do with my code. I'm now doing some web development for a few different clients, and a few of them have asked for some database functionality, no problem, it's all set up and functional, using PHP and MySQL provided by the client's hosting company (not a good one, i dont like them, web.com) so here's the question, how do i protect from mysql injections. right now the only public access to the database is just the form to make an online reservation which links to a submit.php script that simply submits it. the client manages reservations with a web interface that is not linked to by anything, so you have to know the address, later i'll put a username and password on it in which case i know i'll have to protect against sql injections, but for now, is there any danger of sql injections. I'm assuming so. For some reason a few functions dont work on the hosting company's server (mysql_real_escape_string and free_result so far) and i think it's because its an older version of php or mysql. what can/should i do?
    if God was willing to live all out for us, why aren't we willing to live all out for Him? God bless,
    Godsrock37
    my home my forum

  2. #2
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,052
    Sill man Wiki always has the answer lol

    http://en.wikipedia.org/wiki/SQL_injection :-)

  3. #3
    Senior Member Godsrock37's Avatar
    Join Date
    Jan 2005
    Location
    PA
    Posts
    121
    saw that one, it only shows the mysql_real_escape_string function which doesnt work with his hosting for w/e reason. it also has stuff for perl and java but mine's in php, thnx for the help though, any other suggestions?

    also, while im here, rather than create a login app for the management system my comp sci teacher suggested putting it in a different directory and setting up permissions, but because its not a dedicated server im not sure thats allowed, but it does sound a lot easier, any suggestions there?
    if God was willing to live all out for us, why aren't we willing to live all out for Him? God bless,
    Godsrock37
    my home my forum

  4. #4
    Hi,

    I use both htmlentities(); and addslashes(); to remove nasty characters.

    When echo-ing back to the screen in the admin area use stripslashes(); to bring it back to normal.

    There are more involved methods like searching for and replacing particular strings/characters, but these cover the basics.

    Here's a good primer on how to prevent some attacks via .htaccess and PHP -> http://www.0x000000.com/?i=50&bin=110010

    Cheers,
    Niggles

  5. #5
    Senior Member Godsrock37's Avatar
    Join Date
    Jan 2005
    Location
    PA
    Posts
    121
    thnx, i'll look into those for sure, they look good. I'll have to test the functions. if anyone else has ideas dont be afraid to post, the more the merrier
    if God was willing to live all out for us, why aren't we willing to live all out for Him? God bless,
    Godsrock37
    my home my forum

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    It basically boils down to:

    1. Don't pass any string directly into SQL without appropriate escaping - ideally use prepared queries
    2. Audit use of dangerous functions such as eval(), system() etc, VERY bloody carefully.

    There are other attacks you might want to consider as well:

    - XSS - consider using a framework to automatically escape HTML in your output (e.g. if using a templating system like smarty)
    - CSRF - consider using a framework which provides CSRF protection

    Mark

  7. #7
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,052
    All you really need to know is


    mysql_real_escape_string

    :-)

  8. #8
    Senior Member Godsrock37's Avatar
    Join Date
    Jan 2005
    Location
    PA
    Posts
    121
    like i said, it doesnt work
    if God was willing to live all out for us, why aren't we willing to live all out for Him? God bless,
    Godsrock37
    my home my forum

  9. #9
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,052
    The site says it is for "PHP 4 >= 4.3.0, PHP 5"
    You can use phpinfo() to show what version you are running.

  10. #10
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    Its been mostly covered, most shard hosts will allowyou to setup an htaccess protected directory, what is the site managment app (Plesk, Cpanl, ect?) ? Stopeing sql injection isn't that hard so its ratehr disturbing that so much shows up online in PHP apps, first you need to take imput in as a var, adn the nbefore that is pushed into sql the submit.php should od so validation. if you can't get the canned scripts to work you will need to make your own. This isn't too difficult as you must know what the input can and can't be (length, charicter types, ect.). then escape the input to clean up whats left (some thing like mysql_escape_string(), or in a last resorte addslashes() ).

    For the love of god don't store your db connection info in a plane txt file, it will be found and read.

    This site is very good for looking into PHP security http://phpsec.org/projects/guide/3.html the link is their sql injection guide. beyond that remember security through obscurity isn' secure, i don't care if you didn't link the directory some one will find it (you are on a shared server, some one else may have been exploited and granted a shell, PHP file upload exploits are netorious for this and then your "hidden" directory is hosed)

    Hey if you are still at it in may pick up a copy of SAMS Teach yYour Self PHP Security. I am hopeing to have it out in time for RSA.
    Who is more trustworthy then all of the gurus or Buddha’s?

Similar Threads

  1. Apache, PHP, MySQL with basic security settings.
    By nightcat in forum The Security Tutorials Forum
    Replies: 9
    Last Post: May 28th, 2005, 03:47 AM
  2. PHP wont connect to MySQL!
    By Tuskin in forum General Programming Questions
    Replies: 3
    Last Post: November 16th, 2004, 07:53 AM
  3. Installing Apache and PHP on Linux
    By HDD in forum Other Tutorials Forum
    Replies: 2
    Last Post: February 1st, 2004, 08:05 PM
  4. PHP & MySQL tutorials
    By BIOSHazardX in forum AntiOnline's General Chit Chat
    Replies: 1
    Last Post: March 6th, 2003, 09:35 PM
  5. Installing MySQL, PHP, and Apache on Win2k.
    By uraloony in forum Other Tutorials Forum
    Replies: 5
    Last Post: July 2nd, 2002, 04:16 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •