Welcome to WebmasterWorld Guest from 54.145.65.62

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

security

     
4:17 am on Feb 21, 2008 (gmt 0)

Junior Member

5+ Year Member

joined:Feb 6, 2008
posts: 94
votes: 0


I have this article script and this admin panel where I can post articles and stuff to a database, but I think it can be injected and like hacked pretty easily. Is there a way to check because I've seen things where people put like &password=123example&login=lolwhut at the end of the url or something and then they mess up your site.

Can you tell me if this is secure or not?

[edited by: eelixduppy at 4:36 am (utc) on Feb. 21, 2008]
[edit reason] no URLs, please [/edit]

4:37 am on Feb 21, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 12, 2005
posts:5966
votes: 0


There are many different ways to secure your applications. The best thing for you to do right now is to read up on different security problems and how to avoid them. Start with the following link: [phpsec.org...]
5:07 am on Feb 21, 2008 (gmt 0)

Junior Member

5+ Year Member

joined:Feb 6, 2008
posts:94
votes: 0


Ok I read on the sql injections and the form one, but for the sql injections, it doesn't provide a way to protect against it, except put "" quotes around all your variables and stuff, and also include your login and password and stuff in a sepertate file in a seperate location. Is that all I can do?
5:11 am on Feb 21, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 12, 2005
posts:5966
votes: 0


If you are using mysql, you should be escaping those variables with mysql_real_escape_string [php.net] in order to prevent from SQL injection. Aside from just escaping input (and by input I mean ANYTHING that can be altered by the user, including the referrer, etc), you should also make sure that it contains what it is suppose to contain, and not anything else that you wouldn't want to allow.
5:13 am on Feb 21, 2008 (gmt 0)

Junior Member

5+ Year Member

joined:Feb 6, 2008
posts: 94
votes: 0


Oh so liek for a name input field, only accept letters? And do you have to include other characters besides letters for an injection?
6:04 am on Feb 21, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 12, 2005
posts:5966
votes: 0


Injections come in a variety of different ways, so no, there aren't just comprised of letters, if that's what you mean. Escaping your input should be enough to prevent SQL injection, however validating the input is extra security so that you KNOW you will not get unexpected results somewhere in your application; it doesn't necessarily mean that it will occur with the database, but it could very well be somewhere else. You always just want to know what to expect in a variable, and that is why we check :)
6:14 am on Feb 21, 2008 (gmt 0)

Junior Member

5+ Year Member

joined:Feb 6, 2008
posts:94
votes: 0


By validating you mean that its a required field right? And also I found some videos on youtube abuot the commands to get past and stuff, and I tried it all on my site, but none of them worked. I made some changes.
6:20 am on Feb 21, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 12, 2005
posts:5966
votes: 0


>> By validating you mean that its a required field right?

Not exactly. First off, by validation I do not mean measures to prevent SQL injection, but general security measures that should be taken. But an example of making sure the input is validated (clean), is for instance say you are looking for an integer to be input in a form. You want to check to first see if this is indeed an integer, and if it is not prompt for it to be submitted again. And then once it is an integer, be safe and still escape it before using it in a query. The reason you want to validate it to make sure it is an integer, is so that you don't get unexpected results from functions, etc, when you think you have an integer but in reality, with the validation, you may have a string of other random characters that will cause your application to fail.

6:26 am on Feb 21, 2008 (gmt 0)

Junior Member

5+ Year Member

joined:Feb 6, 2008
posts: 94
votes: 0


Yeah so should I make sure ONLY letters/numbers are included becuase I noticed to do an SQL injection they use the (') a few times, and the (-) and(=) sometimes. Would that be a good means of security, becuase Im not sure how to make it not be used in a query or w/e.
6:57 am on Feb 21, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 12, 2005
posts:5966
votes: 0


What you allow in the field is up to what you actually NEED to allow in the field. If you need to allow other characters other than alphanumerics then you can without any further security issues, as long as you escape the data correctly. Here is an example:

#connect to db server, select database...
$input = $_POST['input'];
#validate input...
$query = "SELECT * FROM `table` WHERE `field` = '".mysql_real_escape_string($input)."'";
#etc...

This should sufficiently protect you from SQL injection.

7:11 am on Feb 21, 2008 (gmt 0)

Junior Member

5+ Year Member

joined:Feb 6, 2008
posts:94
votes: 0


Oh so liek this?:

$query = "SELECT * FROM `mahtable` WHERE `name` = '".mysql_real_escape_string($input)."'";

and then input would be the name of the field?

7:13 am on Feb 21, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 12, 2005
posts:5966
votes: 0


yup
7:36 am on Feb 21, 2008 (gmt 0)

Junior Member

5+ Year Member

joined:Feb 6, 2008
posts:94
votes: 0


Ok but how do I make it for like a login field, becuase my login fields I dont think like connect to the database, it connects to my admin panel.