|Report: Hackers Put SQL Injection and DDos Attacks Top of Their List|
Having see the result of and SQL attack on one of my sites, i'm in no doubt it's one of the easier hacks.
|SQL injection and DDoS attacks are still the main ways in which hackers aim to attack websites. |
Nearly one fifth of discussion volume (19 per cent) in a hacker forum comprising of 250,000 members, was dedicated to discussing SQL and DDOS attacks, according to data security firm, Imperva.Report: Hackers Put SQL Injection and DDos Attacks Top of Their List [itpro.co.uk]
|Having see the result of and SQL attack on one of my sites, i'm in no doubt it's one of the easier hacks. |
It's also one of the easiest to prevent.
Simple programming techniques of prepared statements and bound variables avoid most of the problem.
Here's a must read for PHP programmers:
Doing site wide input filtering is trivial, it doesn't have to be done page by page, and can detect a myriad of issues including attempted MYSQL injection. The fact that people still publish software without properly filtering input should be criminal IMO as the poor programming procedures are just as guilty as the hackers. It's like building houses without locks on the doors and wondering why everyone is robbing them.
|a hacker forum comprising of 250,000 members |
And what a cheery mental picture that presents.
It is only days since I realized that one minor robot's requests come through as "GET http://www.example.com/blahblahb/tiny-pointless-image.jpg" -- and they've been at it for, well, as far back as I've got accessible logs. I honestly believe this specific case is a bona fide search engine whose robot is so low-tech, it travels by telnet. But I locked 'em out anyway.
I've had my site protected from sql injection for a very very long time. Regex is a wonderful thing
|brotherhood of LAN|
Yes, anything that comes from the client side *has* to be checked to prevent SQL injections
- Check whether a variable exists
- If it's meant to be a number, check it's a number. I like to avoid quoting numbers going into a DB, so I always remember to check.
- Use real_escape_string on all other variables
From the compromises of user details I come across, it's almost always an SQL injection.
As an aside, I use a MySQL UDF that allows me to execute shell commands inside procedures. Highly dangerous if you consider the potential of injections there... but if you're thorough in avoiding unchecked user supplied variables roaming freely through scripts, then there's nothing to worry about on that front.
@Bewenched, regex as in regular expressions? I can see a role for them in monitoring, but if you are using them to prevent SQL injection, it sounds wrong to me. As incrediBill (and the link he provides) says, use prepared statements and parameterised queries.