Welcome to WebmasterWorld Guest from 23.20.238.193

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

security

     
4:17 am on Feb 21, 2008 (gmt 0)

5+ Year Member



I have this article script and this admin panel where I can post articles and stuff to a database, but I think it can be injected and like hacked pretty easily. Is there a way to check because I've seen things where people put like &password=123example&login=lolwhut at the end of the url or something and then they mess up your site.

Can you tell me if this is secure or not?

[edited by: eelixduppy at 4:36 am (utc) on Feb. 21, 2008]
[edit reason] no URLs, please [/edit]

4:37 am on Feb 21, 2008 (gmt 0)

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 5+ Year Member



There are many different ways to secure your applications. The best thing for you to do right now is to read up on different security problems and how to avoid them. Start with the following link: [phpsec.org...]
5:07 am on Feb 21, 2008 (gmt 0)

5+ Year Member



Ok I read on the sql injections and the form one, but for the sql injections, it doesn't provide a way to protect against it, except put "" quotes around all your variables and stuff, and also include your login and password and stuff in a sepertate file in a seperate location. Is that all I can do?
5:11 am on Feb 21, 2008 (gmt 0)

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 5+ Year Member



If you are using mysql, you should be escaping those variables with mysql_real_escape_string [php.net] in order to prevent from SQL injection. Aside from just escaping input (and by input I mean ANYTHING that can be altered by the user, including the referrer, etc), you should also make sure that it contains what it is suppose to contain, and not anything else that you wouldn't want to allow.
5:13 am on Feb 21, 2008 (gmt 0)

5+ Year Member



Oh so liek for a name input field, only accept letters? And do you have to include other characters besides letters for an injection?
6:04 am on Feb 21, 2008 (gmt 0)

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 5+ Year Member



Injections come in a variety of different ways, so no, there aren't just comprised of letters, if that's what you mean. Escaping your input should be enough to prevent SQL injection, however validating the input is extra security so that you KNOW you will not get unexpected results somewhere in your application; it doesn't necessarily mean that it will occur with the database, but it could very well be somewhere else. You always just want to know what to expect in a variable, and that is why we check :)
6:14 am on Feb 21, 2008 (gmt 0)

5+ Year Member



By validating you mean that its a required field right? And also I found some videos on youtube abuot the commands to get past and stuff, and I tried it all on my site, but none of them worked. I made some changes.
6:20 am on Feb 21, 2008 (gmt 0)

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 5+ Year Member



>> By validating you mean that its a required field right?

Not exactly. First off, by validation I do not mean measures to prevent SQL injection, but general security measures that should be taken. But an example of making sure the input is validated (clean), is for instance say you are looking for an integer to be input in a form. You want to check to first see if this is indeed an integer, and if it is not prompt for it to be submitted again. And then once it is an integer, be safe and still escape it before using it in a query. The reason you want to validate it to make sure it is an integer, is so that you don't get unexpected results from functions, etc, when you think you have an integer but in reality, with the validation, you may have a string of other random characters that will cause your application to fail.

6:26 am on Feb 21, 2008 (gmt 0)

5+ Year Member



Yeah so should I make sure ONLY letters/numbers are included becuase I noticed to do an SQL injection they use the (') a few times, and the (-) and(=) sometimes. Would that be a good means of security, becuase Im not sure how to make it not be used in a query or w/e.
6:57 am on Feb 21, 2008 (gmt 0)

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 5+ Year Member



What you allow in the field is up to what you actually NEED to allow in the field. If you need to allow other characters other than alphanumerics then you can without any further security issues, as long as you escape the data correctly. Here is an example:

#connect to db server, select database...
$input = $_POST['input'];
#validate input...
$query = "SELECT * FROM `table` WHERE `field` = '".mysql_real_escape_string($input)."'";
#etc...

This should sufficiently protect you from SQL injection.

7:11 am on Feb 21, 2008 (gmt 0)

5+ Year Member



Oh so liek this?:

$query = "SELECT * FROM `mahtable` WHERE `name` = '".mysql_real_escape_string($input)."'";

and then input would be the name of the field?

7:13 am on Feb 21, 2008 (gmt 0)

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 5+ Year Member



yup
7:36 am on Feb 21, 2008 (gmt 0)

5+ Year Member



Ok but how do I make it for like a login field, becuase my login fields I dont think like connect to the database, it connects to my admin panel.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month