Welcome to WebmasterWorld Guest from 54.160.131.144

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Protecting against SQL Injection Attacks & the like

     

TravelSite

8:51 pm on Feb 8, 2010 (gmt 0)

10+ Year Member



Hi,

I'm building a site in PHP & MySQL. I'm looking for what I need to do in order to protect the site from sql injection and other attacks.

Its on a shared hosting account, and unfortunately there doesn't seem to be any support for "mysqli_connect" (which seems to offer the best protection from what I've read so far).

Aside from placing "strip_tags()" around all POST & GET requests, are there other things I can do?

Thanks

TravelSite

9:02 pm on Feb 8, 2010 (gmt 0)

10+ Year Member



E.g. currently I'm doing:

$abc=addslashes(strip_tags($_POST['abc']));

Should I also be doing a str_replace for words like "SELECT" etc?

dreamcatcher

9:22 pm on Feb 8, 2010 (gmt 0)

WebmasterWorld Senior Member dreamcatcher is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Hi TravelSite,

This thread in our library may help:
[webmasterworld.com...]

dc

CyBerAliEn

9:36 pm on Feb 8, 2010 (gmt 0)

5+ Year Member



Aside from the useful thread linked above... The most straightforward way of doing it is to implement the PHP mySQPL "escape" function to any user input that is going to touch the database. Such as follows:

$firstname = mysql_real_escape_string($_REQUEST['firstname']);
//then use var 'firstname' where needed; etc


The reason I say most straightforward is that it will escape any characters that could cause harm. However, my understanding is that this is not 100% secure; but that it is significantly more secure than doing "add slashes" or "strip tags".

If you wish to "strip tags", I would do so... but after "real escape" is run on it first.

To be even safer, I usually run a regular expression against the input to automatically trash any unknown or unexpected characters. For example, if I'm asking for an 'age' and know that it should be returned as a number, I'll run a reg. exp. against it to strip out any non-numeric characters... and then use this result in the scripting (to validate, to put in DB, etc). This combined with the "real escape" function helps to stem injection by properly escaping and properly controlling input.

TravelSite

10:18 pm on Feb 8, 2010 (gmt 0)

10+ Year Member



Hi dreamcatcher & CyBerAliEn,

- Thanks for the info. I've started changing things to use mysql_real_escape_string, all will read through the rest of it shortly.

Paul.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month