Welcome to WebmasterWorld Guest from 54.159.50.111

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Protecting against SQL Injection Attacks & the like

     
8:51 pm on Feb 8, 2010 (gmt 0)

Preferred Member

10+ Year Member

joined:June 11, 2003
posts: 417
votes: 0


Hi,

I'm building a site in PHP & MySQL. I'm looking for what I need to do in order to protect the site from sql injection and other attacks.

Its on a shared hosting account, and unfortunately there doesn't seem to be any support for "mysqli_connect" (which seems to offer the best protection from what I've read so far).

Aside from placing "strip_tags()" around all POST & GET requests, are there other things I can do?

Thanks
9:02 pm on Feb 8, 2010 (gmt 0)

Preferred Member

10+ Year Member

joined:June 11, 2003
posts: 417
votes: 0


E.g. currently I'm doing:

$abc=addslashes(strip_tags($_POST['abc']));

Should I also be doing a str_replace for words like "SELECT" etc?
9:22 pm on Feb 8, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member dreamcatcher is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 30, 2003
posts:3719
votes: 0


Hi TravelSite,

This thread in our library may help:
[webmasterworld.com...]

dc
9:36 pm on Feb 8, 2010 (gmt 0)

Junior Member

5+ Year Member

joined:Mar 19, 2009
posts:165
votes: 0


Aside from the useful thread linked above... The most straightforward way of doing it is to implement the PHP mySQPL "escape" function to any user input that is going to touch the database. Such as follows:

$firstname = mysql_real_escape_string($_REQUEST['firstname']);
//then use var 'firstname' where needed; etc


The reason I say most straightforward is that it will escape any characters that could cause harm. However, my understanding is that this is not 100% secure; but that it is significantly more secure than doing "add slashes" or "strip tags".

If you wish to "strip tags", I would do so... but after "real escape" is run on it first.

To be even safer, I usually run a regular expression against the input to automatically trash any unknown or unexpected characters. For example, if I'm asking for an 'age' and know that it should be returned as a number, I'll run a reg. exp. against it to strip out any non-numeric characters... and then use this result in the scripting (to validate, to put in DB, etc). This combined with the "real escape" function helps to stem injection by properly escaping and properly controlling input.
10:18 pm on Feb 8, 2010 (gmt 0)

Preferred Member

10+ Year Member

joined:June 11, 2003
posts: 417
votes: 0


Hi dreamcatcher & CyBerAliEn,

- Thanks for the info. I've started changing things to use mysql_real_escape_string, all will read through the rest of it shortly.

Paul.