homepage Welcome to WebmasterWorld Guest from 23.22.2.150
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Protecting against SQL Injection Attacks & the like
TravelSite

10+ Year Member



 
Msg#: 4076583 posted 8:51 pm on Feb 8, 2010 (gmt 0)

Hi,

I'm building a site in PHP & MySQL. I'm looking for what I need to do in order to protect the site from sql injection and other attacks.

Its on a shared hosting account, and unfortunately there doesn't seem to be any support for "mysqli_connect" (which seems to offer the best protection from what I've read so far).

Aside from placing "strip_tags()" around all POST & GET requests, are there other things I can do?

Thanks

 

TravelSite

10+ Year Member



 
Msg#: 4076583 posted 9:02 pm on Feb 8, 2010 (gmt 0)

E.g. currently I'm doing:

$abc=addslashes(strip_tags($_POST['abc']));

Should I also be doing a str_replace for words like "SELECT" etc?

dreamcatcher

WebmasterWorld Senior Member dreamcatcher us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4076583 posted 9:22 pm on Feb 8, 2010 (gmt 0)

Hi TravelSite,

This thread in our library may help:
[webmasterworld.com...]

dc

CyBerAliEn

5+ Year Member



 
Msg#: 4076583 posted 9:36 pm on Feb 8, 2010 (gmt 0)

Aside from the useful thread linked above... The most straightforward way of doing it is to implement the PHP mySQPL "escape" function to any user input that is going to touch the database. Such as follows:

$firstname = mysql_real_escape_string($_REQUEST['firstname']);
//then use var 'firstname' where needed; etc


The reason I say most straightforward is that it will escape any characters that could cause harm. However, my understanding is that this is not 100% secure; but that it is significantly more secure than doing "add slashes" or "strip tags".

If you wish to "strip tags", I would do so... but after "real escape" is run on it first.

To be even safer, I usually run a regular expression against the input to automatically trash any unknown or unexpected characters. For example, if I'm asking for an 'age' and know that it should be returned as a number, I'll run a reg. exp. against it to strip out any non-numeric characters... and then use this result in the scripting (to validate, to put in DB, etc). This combined with the "real escape" function helps to stem injection by properly escaping and properly controlling input.

TravelSite

10+ Year Member



 
Msg#: 4076583 posted 10:18 pm on Feb 8, 2010 (gmt 0)

Hi dreamcatcher & CyBerAliEn,

- Thanks for the info. I've started changing things to use mysql_real_escape_string, all will read through the rest of it shortly.

Paul.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved