-
May 10th, 2007, 01:53 AM
#1
PHP and MySQL injections
so this topic gets hit a lot on the web, but i need a real quick easy, boiled down version of what i need to do with my code. I'm now doing some web development for a few different clients, and a few of them have asked for some database functionality, no problem, it's all set up and functional, using PHP and MySQL provided by the client's hosting company (not a good one, i dont like them, web.com) so here's the question, how do i protect from mysql injections. right now the only public access to the database is just the form to make an online reservation which links to a submit.php script that simply submits it. the client manages reservations with a web interface that is not linked to by anything, so you have to know the address, later i'll put a username and password on it in which case i know i'll have to protect against sql injections, but for now, is there any danger of sql injections. I'm assuming so. For some reason a few functions dont work on the hosting company's server (mysql_real_escape_string and free_result so far) and i think it's because its an older version of php or mysql. what can/should i do?
if God was willing to live all out for us, why aren't we willing to live all out for Him? God bless,
Godsrock37
my home my forum
-
May 10th, 2007, 02:48 AM
#2
Sill man Wiki always has the answer lol
http://en.wikipedia.org/wiki/SQL_injection :-)
-
May 11th, 2007, 12:52 AM
#3
saw that one, it only shows the mysql_real_escape_string function which doesnt work with his hosting for w/e reason. it also has stuff for perl and java but mine's in php, thnx for the help though, any other suggestions?
also, while im here, rather than create a login app for the management system my comp sci teacher suggested putting it in a different directory and setting up permissions, but because its not a dedicated server im not sure thats allowed, but it does sound a lot easier, any suggestions there?
if God was willing to live all out for us, why aren't we willing to live all out for Him? God bless,
Godsrock37
my home my forum
-
May 11th, 2007, 03:32 AM
#4
Member
Hi,
I use both htmlentities(); and addslashes(); to remove nasty characters.
When echo-ing back to the screen in the admin area use stripslashes(); to bring it back to normal.
There are more involved methods like searching for and replacing particular strings/characters, but these cover the basics.
Here's a good primer on how to prevent some attacks via .htaccess and PHP -> http://www.0x000000.com/?i=50&bin=110010
Cheers,
Niggles
-
May 12th, 2007, 04:25 PM
#5
thnx, i'll look into those for sure, they look good. I'll have to test the functions. if anyone else has ideas dont be afraid to post, the more the merrier
if God was willing to live all out for us, why aren't we willing to live all out for Him? God bless,
Godsrock37
my home my forum
-
May 14th, 2007, 12:00 AM
#6
It basically boils down to:
1. Don't pass any string directly into SQL without appropriate escaping - ideally use prepared queries
2. Audit use of dangerous functions such as eval(), system() etc, VERY bloody carefully.
There are other attacks you might want to consider as well:
- XSS - consider using a framework to automatically escape HTML in your output (e.g. if using a templating system like smarty)
- CSRF - consider using a framework which provides CSRF protection
Mark
-
May 17th, 2007, 04:18 PM
#7
All you really need to know is
mysql_real_escape_string
:-)
-
May 18th, 2007, 12:20 AM
#8
like i said, it doesnt work
if God was willing to live all out for us, why aren't we willing to live all out for Him? God bless,
Godsrock37
my home my forum
-
May 18th, 2007, 03:09 AM
#9
The site says it is for "PHP 4 >= 4.3.0, PHP 5"
You can use phpinfo() to show what version you are running.
-
July 23rd, 2007, 08:07 PM
#10
Its been mostly covered, most shard hosts will allowyou to setup an htaccess protected directory, what is the site managment app (Plesk, Cpanl, ect?) ? Stopeing sql injection isn't that hard so its ratehr disturbing that so much shows up online in PHP apps, first you need to take imput in as a var, adn the nbefore that is pushed into sql the submit.php should od so validation. if you can't get the canned scripts to work you will need to make your own. This isn't too difficult as you must know what the input can and can't be (length, charicter types, ect.). then escape the input to clean up whats left (some thing like mysql_escape_string(), or in a last resorte addslashes() ).
For the love of god don't store your db connection info in a plane txt file, it will be found and read.
This site is very good for looking into PHP security http://phpsec.org/projects/guide/3.html the link is their sql injection guide. beyond that remember security through obscurity isn' secure, i don't care if you didn't link the directory some one will find it (you are on a shared server, some one else may have been exploited and granted a shell, PHP file upload exploits are netorious for this and then your "hidden" directory is hosed)
Hey if you are still at it in may pick up a copy of SAMS Teach yYour Self PHP Security. I am hopeing to have it out in time for RSA.
Who is more trustworthy then all of the gurus or Buddha’s?
Similar Threads
-
By nightcat in forum The Security Tutorials Forum
Replies: 9
Last Post: May 28th, 2005, 02:47 AM
-
By Tuskin in forum General Programming Questions
Replies: 3
Last Post: November 16th, 2004, 07:53 AM
-
By HDD in forum Other Tutorials Forum
Replies: 2
Last Post: February 1st, 2004, 08:05 PM
-
By BIOSHazardX in forum AntiOnline's General Chit Chat
Replies: 1
Last Post: March 6th, 2003, 09:35 PM
-
By uraloony in forum Other Tutorials Forum
Replies: 5
Last Post: July 2nd, 2002, 03:16 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|