Jump to content
MakeWebGames

mysql injection


Snatchy
 Share

Recommended Posts

Re: mysql injection

well lets start the check list...lol..

- got plenty of hours to put into it.

- when you say put checks in... how do i go about it?

- Not sure what you mean by URL manipulation.

- malicious little fucks.... yes, plenty of them, but I want to make it as hard as possible for the little fags to do it.

hmmmm ok so can we kick off the post with how do we go about putting the sql checks in?

I know this is going to be a bit complicated so one step at a time and hours upon hours of getting it right....lol.

for instance on my gme with unequip, i need to make it do a check on the database so that people can't unequip items, doubling them in their inventory!

Link to comment
Share on other sites

  • 1 month later...

Re: mysql injection

Well, say you have an script that get an id trough a $_GET variable.

ex:

$get_id = $_GET['id'];

and then the url:

script.php?id=1

You will properbly have a query like:

$get_id = $_GET['id'];
$query = mysql_query("SELECT * FROM table WHERE id='$get_id'",$connection);

 

Then someone goes an exploit it:

?script.php?id=1' UNION SELECT userpass FROM users WHERE userid=1 --

 

Now the query is:

$get_id = $_GET['id'];
$query = mysql_query("SELECT * FROM table WHERE id='1' UNION SELECT userpass FROM users WHERE userid=1",$connection);

 

Then that displays the uerpass that someone can crack.

Now for protection.

Modifiy the script a little:

$get_id = addslashes($_GET['id']);
$get_id = htmlspeacialchars($get_id);
$query = mysql_query("SELECT * FROM table WHERE id='1 UNION SELECT userpass FROM users WHERE userid=1 --'",$connection);

 

now that query is going to fail, because there is no such userid as:

1 UNION SELECT userpass FROM users WHERE userid=1 --

 

But my best advice is not to use $_GET at all.

Link to comment
Share on other sites

  • 1 year later...

Re: mysql injection

Someone said not to use get at all. That's a bogus recommendation. It's actually easy to post to a server manually. And if you're relying on filtering the folks that don't know how to post vs those that do, then you're filtering out the less capable people, which means you're leaving open holes to the folks that are more capable.

I use request for almost everything. Naturally request is the most open of all because it accepts get, post AND cookie. It gives me far more flexibility in programming. The catch though is that ALL USER INPUT should be SECURED. So it doesn't matter where I get data from, it only matters what I do with it. Hence I recommend everyone use request as it's far more convenient.

Link to comment
Share on other sites

Guest Anonymous

Re: mysql injection

While I agree with Floydian's first part, the second perhaps needs a little discussion.

Personally I'd be all in favor if the devs. at PHP ditched the $_REQUEST super global. It forces you to make assumptions about the environment which are correct in 99% of the time, but when we look at protecting systems -- it's the 1% we are interested in.

And with regard to the statement "The catch though is that ALL USER INPUT should be SECURED..." I suggest that this applies to *whatever* mechanism you use. _REQUEST is still an array of data - collating information (as Floydian quite correctly points out) from _GET, _POST and _COOKIE, so it really matters not where you get data from - Everything the user types in, or sends to your server in any form, MUST be considered suspect and sanitized thoroughly.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...