preventing an sql injection / attack

Forum Moderators: coopster

Message Too Old, No Replies

preventing an sql injection / attack

jake66

4:30 pm on Apr 24, 2006 (gmt 0)

for the past three hours i've dug through every tutorial i could find.

i've tried the tutorials on php.net, but it mucked up my redirect function (that sends the user back to their originating page [dynamic?bla=bla1] with the "success" message)

i'm sure i've done something incorrect that caused this to happen. can anyone enlighten me?

this is the tutorial i used: [ca3.php.net...]

in my redirect, somehow a " and ' got inserted between the filename.

jake66

5:48 pm on Apr 24, 2006 (gmt 0)

i determined where the quotes were coming from.. this line:
$value = "'" . mysql_real_escape_string($value) . "'";

i am using this code to output plain text and email addresses, will i damage the protection if i edit this line to be:
$value = "" . mysql_real_escape_string($value) . "";

instead?

mikesmith76

7:53 pm on Apr 24, 2006 (gmt 0)

easiest way i've found for testing for sql injection vunerabilities is to insert ' into any user submitted data that will end up in the query, if you receive an sql error afterwards then most likely your are vunerable to attack.

jake66

8:40 pm on Apr 24, 2006 (gmt 0)

just tried entering:

'myemail'@myemail.com

into the form and no errors, it submitted successfully.

in my admin area where i output the data from the database, it shows up as:

\'myemail\'@myemail.com

for this effort, i tried:

$email = mysql_real_escape_string( $email );

am i safe from any injections?

jake66

1:08 am on Apr 25, 2006 (gmt 0)

is this too much protection (or, am i using this incorrectly)?

//grab info from previous page
$email = mysql_real_escape_string( $mail );

query:

$query_manf = "select * from notification where id='".$id."' and email='".addslashes($email)."' ";

(email being where the user can input their email).. this form checks to see if their address currently exists, if not, proceed to next query:

$query_insert = "insert into notification(id,email,date)values(".$id.",'".$email."',now()) ";

is there anything else i can do to thwart possible attacks?

hakre

7:01 am on Apr 25, 2006 (gmt 0)

is this too much protection (or, am i using this incorrectly)?
//grab info from previous page
$email = mysql_real_escape_string( $mail );
query:
$query_manf = "select * from notification where id='".$id."' and email='".addslashes($email)."' ";

mysql_real_escape_string is enough, you don't need to apply addslashes later on.

is there anything else i can do to thwart possible attacks?

grab a tutorial about how sql injection is done and understand. you will learn some more specs about sql queries and you will understand what part of your query needs to be protected and validated. often it's about ensuring the users input is in the right form.

jatar_k

7:03 pm on Apr 25, 2006 (gmt 0)

You also could try reading through the Library [webmasterworld.com]

there is a thread ehre about PHP Security [webmasterworld.com] that might help with some of the concepts