Snatchy Posted May 7, 2007 Posted May 7, 2007 ok well we all keep hearing about it but no one seems to be posting any fixes to the ongoing problem of mysql injections. What do i need to do to stop this from happening? Quote
Snatchy Posted May 7, 2007 Author Posted May 7, 2007 Re: mysql injection well lets start the check list...lol.. - got plenty of hours to put into it. - when you say put checks in... how do i go about it? - Not sure what you mean by URL manipulation. - malicious little fucks.... yes, plenty of them, but I want to make it as hard as possible for the little fags to do it. hmmmm ok so can we kick off the post with how do we go about putting the sql checks in? I know this is going to be a bit complicated so one step at a time and hours upon hours of getting it right....lol. for instance on my gme with unequip, i need to make it do a check on the database so that people can't unequip items, doubling them in their inventory! Quote
hamster01 Posted May 10, 2007 Posted May 10, 2007 Re: mysql injection THere are many ways to block sql injections. ANd you need to be experienced Quote
Z?v?? Posted May 10, 2007 Posted May 10, 2007 Re: mysql injection Wanna give a detailed description of how to block them? :wink: Quote
hamster01 Posted May 10, 2007 Posted May 10, 2007 Re: mysql injection Yes. And I suggest you look this up somewhere. Quote
Snatchy Posted June 19, 2007 Author Posted June 19, 2007 Re: mysql injection is there a chance we can get an example of what a check is? i'm about half way to understanding all this...lol... getting there slowly Quote
hamster01 Posted June 19, 2007 Posted June 19, 2007 Re: mysql injection Well, say you have an script that get an id trough a $_GET variable. ex: $get_id = $_GET['id']; and then the url: script.php?id=1 You will properbly have a query like: $get_id = $_GET['id']; $query = mysql_query("SELECT * FROM table WHERE id='$get_id'",$connection); Then someone goes an exploit it: ?script.php?id=1' UNION SELECT userpass FROM users WHERE userid=1 -- Now the query is: $get_id = $_GET['id']; $query = mysql_query("SELECT * FROM table WHERE id='1' UNION SELECT userpass FROM users WHERE userid=1",$connection); Then that displays the uerpass that someone can crack. Now for protection. Modifiy the script a little: $get_id = addslashes($_GET['id']); $get_id = htmlspeacialchars($get_id); $query = mysql_query("SELECT * FROM table WHERE id='1 UNION SELECT userpass FROM users WHERE userid=1 --'",$connection); now that query is going to fail, because there is no such userid as: 1 UNION SELECT userpass FROM users WHERE userid=1 -- But my best advice is not to use $_GET at all. Quote
Decepti0n Posted June 19, 2007 Posted June 19, 2007 Re: mysql injection Why can't you use variables in the url? If you escape the quotes then you're fine You don't need htmlspecialchars except when displaying data, and thats only to prevent html and javascript injection Quote
hamster01 Posted June 19, 2007 Posted June 19, 2007 Re: mysql injection Heard of XSS aka CSS? Why can't you use variables in the url? If you escape the quotes then you're fine You don't need htmlspecialchars except when displaying data, and thats only to prevent html and javascript injection Quote
Decepti0n Posted June 19, 2007 Posted June 19, 2007 Re: mysql injection CSS is cascading stylesheets, and I know what XSS is, doesn't mean its possible if you secure your game Quote
hamster01 Posted June 19, 2007 Posted June 19, 2007 Re: mysql injection Cross-Site-Scripting (CSS aka XSS), which also stands for Cascading Style Sheet or Content Scrambling System. Quote
Decepti0n Posted June 19, 2007 Posted June 19, 2007 Re: mysql injection Yay another pointless argument where you wont admit you're wrong and ignore the facts If you escape that ' in your awesome sql injection, it'll be ... WHERE id = '1 \' union ... '"); And it's not going to do anything Quote
kylestev Posted September 29, 2008 Posted September 29, 2008 Re: mysql injection were do you pu t them?? Quote
Floydian Posted September 29, 2008 Posted September 29, 2008 Re: mysql injection Someone said not to use get at all. That's a bogus recommendation. It's actually easy to post to a server manually. And if you're relying on filtering the folks that don't know how to post vs those that do, then you're filtering out the less capable people, which means you're leaving open holes to the folks that are more capable. I use request for almost everything. Naturally request is the most open of all because it accepts get, post AND cookie. It gives me far more flexibility in programming. The catch though is that ALL USER INPUT should be SECURED. So it doesn't matter where I get data from, it only matters what I do with it. Hence I recommend everyone use request as it's far more convenient. Quote
Guest Anonymous Posted September 29, 2008 Posted September 29, 2008 Re: mysql injection While I agree with Floydian's first part, the second perhaps needs a little discussion. Personally I'd be all in favor if the devs. at PHP ditched the $_REQUEST super global. It forces you to make assumptions about the environment which are correct in 99% of the time, but when we look at protecting systems -- it's the 1% we are interested in. And with regard to the statement "The catch though is that ALL USER INPUT should be SECURED..." I suggest that this applies to *whatever* mechanism you use. _REQUEST is still an array of data - collating information (as Floydian quite correctly points out) from _GET, _POST and _COOKIE, so it really matters not where you get data from - Everything the user types in, or sends to your server in any form, MUST be considered suspect and sanitized thoroughly. Quote
Zero-Affect Posted September 30, 2008 Posted September 30, 2008 Re: mysql injection editing a post is simple like ie login.php view source copy content save has login.php link any / to the actual site then you can get past any "-", "_" OR " " restrictions also counts for register this method is also usable in sql injections etc... Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.