mysql injection

[Snatchy]

ok well we all keep hearing about it but no one seems to be posting any fixes to the ongoing problem of mysql injections.

What do i need to do to stop this from happening?

[Snatchy]

Re: mysql injection

well lets start the check list...lol..

- got plenty of hours to put into it.

- when you say put checks in... how do i go about it?

- Not sure what you mean by URL manipulation.

- malicious little fucks.... yes, plenty of them, but I want to make it as hard as possible for the little fags to do it.

hmmmm ok so can we kick off the post with how do we go about putting the sql checks in?

I know this is going to be a bit complicated so one step at a time and hours upon hours of getting it right....lol.

for instance on my gme with unequip, i need to make it do a check on the database so that people can't unequip items, doubling them in their inventory!

[hamster01]

Re: mysql injection

THere are many ways to block sql injections.

ANd you need to be experienced

[Z?v??]

Re: mysql injection

Wanna give a detailed description of how to block them? :wink:

[hamster01]

Re: mysql injection

Yes.

And I suggest you look this up somewhere.

[Snatchy]

Re: mysql injection

is there a chance we can get an example of what a check is? i'm about half way to understanding all this...lol... getting there slowly

[hamster01]

Re: mysql injection

Well, say you have an script that get an id trough a $_GET variable.

ex:

$get_id = $_GET['id'];

and then the url:

script.php?id=1

You will properbly have a query like:

$get_id = $_GET['id'];
$query = mysql_query("SELECT * FROM table WHERE id='$get_id'",$connection);

 

Then someone goes an exploit it:

?script.php?id=1' UNION SELECT userpass FROM users WHERE userid=1 --

 

Now the query is:

$get_id = $_GET['id'];
$query = mysql_query("SELECT * FROM table WHERE id='1' UNION SELECT userpass FROM users WHERE userid=1",$connection);

 

Then that displays the uerpass that someone can crack.

Now for protection.

Modifiy the script a little:

$get_id = addslashes($_GET['id']);
$get_id = htmlspeacialchars($get_id);
$query = mysql_query("SELECT * FROM table WHERE id='1 UNION SELECT userpass FROM users WHERE userid=1 --'",$connection);

 

now that query is going to fail, because there is no such userid as:

1 UNION SELECT userpass FROM users WHERE userid=1 --

 

But my best advice is not to use $_GET at all.

[Decepti0n]

Re: mysql injection

Why can't you use variables in the url? If you escape the quotes then you're fine

You don't need htmlspecialchars except when displaying data, and thats only to prevent html and javascript injection

[hamster01]

Re: mysql injection

Heard of XSS aka CSS?

 

Why can't you use variables in the url? If you escape the quotes then you're fine

You don't need htmlspecialchars except when displaying data, and thats only to prevent html and javascript injection

[Decepti0n]

Re: mysql injection

CSS is cascading stylesheets, and I know what XSS is, doesn't mean its possible if you secure your game

[hamster01]

Re: mysql injection

Cross-Site-Scripting (CSS aka XSS),

which also stands for Cascading Style Sheet or Content Scrambling System.

[Decepti0n]

Re: mysql injection

Yay another pointless argument where you wont admit you're wrong and ignore the facts

If you escape that ' in your awesome sql injection, it'll be ... WHERE id = '1 \' union ... '");

And it's not going to do anything

[kylestev]

Re: mysql injection

were do you pu t them??

[Floydian]

Re: mysql injection

Someone said not to use get at all. That's a bogus recommendation. It's actually easy to post to a server manually. And if you're relying on filtering the folks that don't know how to post vs those that do, then you're filtering out the less capable people, which means you're leaving open holes to the folks that are more capable.

I use request for almost everything. Naturally request is the most open of all because it accepts get, post AND cookie. It gives me far more flexibility in programming. The catch though is that ALL USER INPUT should be SECURED. So it doesn't matter where I get data from, it only matters what I do with it. Hence I recommend everyone use request as it's far more convenient.

[Guest Anonymous]

Re: mysql injection

While I agree with Floydian's first part, the second perhaps needs a little discussion.

Personally I'd be all in favor if the devs. at PHP ditched the $_REQUEST super global. It forces you to make assumptions about the environment which are correct in 99% of the time, but when we look at protecting systems -- it's the 1% we are interested in.

And with regard to the statement "The catch though is that ALL USER INPUT should be SECURED..." I suggest that this applies to *whatever* mechanism you use. _REQUEST is still an array of data - collating information (as Floydian quite correctly points out) from _GET, _POST and _COOKIE, so it really matters not where you get data from - Everything the user types in, or sends to your server in any form, MUST be considered suspect and sanitized thoroughly.

[Zero-Affect]

Re: mysql injection

editing a post is simple like ie login.php view source copy content save has login.php link any / to the actual site then you can get past any "-", "_" OR " " restrictions also counts for register

this method is also usable in sql injections etc...