PHP RSS PHP RSS

Data Safe - SQL Injection

Reply

Join Date: Dec 2004
Posts: 234
Reputation: cancer10 is an unknown quantity at this point 
Solved Threads: 0
cancer10's Avatar
cancer10 cancer10 is offline Offline
Posting Whiz in Training

Data Safe - SQL Injection

 
0
  #1
Feb 27th, 2008
Hi,

This is an interesting question (in my humble opinion).

I am trying to create a forum in PHP. So there is a "Post a new Thread" link, clicking on which would open a textarea field for posting a message and a textbox for the "title".

Now, I dont want ppl to sql inject queries through the textarea or the textbox field.

So I have created this function for the same.


PHP Syntax (Toggle Plain Text) 
  1. function dbsafe($data){
  2. $data = str_replace('select','',$data);
  3. $data = str_replace('alter','',$data);
  4. $data = str_replace('delete','',$data);
  5. $data = str_replace('replace','',$data);
  6. return $data;
  7. }


Now, though the above function would secure my db upto some extent but the only limitation I can see is my members/visitors will not be able to use the words "select","alter","delete","replace" in their threads even though they want use them (not for sql injection purpose).


So, I had to change my dbsafe function to the following:

PHP Syntax (Toggle Plain Text) 
  1. function dbsafe($data){
  2. $data = str_replace('tbl_members','',$data);
  3. $data = str_replace('tbl_login','',$data);
  4. $data = str_replace('tbl_details','',$data);
  5. $data = str_replace('tbl_orders','',$data);
  6. return $data;
  7. }

ok, so now my function would now replace my database tables if the attacker intends to destroy or misuse them using any sql statements.

Now my question is that:

1) Which one of the above 2 functions is better you think?
2) Also, in my second function, is there a way the attacker would hamper my database without using my table names?


Please guide and help.

Need your opinion


Thanx so much in advance

FocusInterview.com - PHP Interview Questions & Answers

IGCHosting - Cheapest Web Hosting
Reply With Quote Quick reply to this message  
Join Date: Aug 2007
Posts: 569
Reputation: ryan_vietnow is an unknown quantity at this point 
Solved Threads: 71
ryan_vietnow's Avatar
ryan_vietnow ryan_vietnow is offline Offline
Posting Pro

Re: Data Safe - SQL Injection

 
0
  #2
Feb 27th, 2008
why not try to use mysql_real_escape_string function?

here I have made one:

php Syntax (Toggle Plain Text) 
  1. function antiinject($var)
  2. {
  3. 	if (get_magic_quotes_gpc())
  4. 		{
  5. 			$var1=stripslashes($var);
  6. 		}
  7. 	else
  8. 		{
  9. 			$var1=$var;
  10. 		}
  11. 	return mysql_real_escape_string($var1);
  12. }

Hope this helps.
http://www.ryantetek.com/
Reply With Quote Quick reply to this message  
Join Date: Dec 2004
Posts: 234
Reputation: cancer10 is an unknown quantity at this point 
Solved Threads: 0
cancer10's Avatar
cancer10 cancer10 is offline Offline
Posting Whiz in Training

Re: Data Safe - SQL Injection

 
0
  #3
Feb 27th, 2008
what does your function do?

Plz explain
Last edited by cancer10; Feb 27th, 2008 at 1:45 am.

FocusInterview.com - PHP Interview Questions & Answers

IGCHosting - Cheapest Web Hosting
Reply With Quote Quick reply to this message  
Join Date: Nov 2007
Posts: 3,760
Reputation: nav33n is a jewel in the rough nav33n is a jewel in the rough nav33n is a jewel in the rough 
Solved Threads: 332
Moderator
Featured Poster
nav33n's Avatar
nav33n nav33n is offline Offline
Senior Poster

Re: Data Safe - SQL Injection

 
0
  #4
Feb 27th, 2008
See this , Example 2.
Ignorance is definitely not bliss!

*PM asking for help will be ignored*
Reply With Quote Quick reply to this message  
Join Date: Aug 2007
Posts: 569
Reputation: ryan_vietnow is an unknown quantity at this point 
Solved Threads: 71
ryan_vietnow's Avatar
ryan_vietnow ryan_vietnow is offline Offline
Posting Pro

Re: Data Safe - SQL Injection

 
0
  #5
Feb 27th, 2008
About your 2 functions,I think the 2nd function is better,but the attacker can destroy not just your tables but the whole database itself:
php Syntax (Toggle Plain Text) 
  1. drop database [database name];

stripslashes Un-quotes a quoted string that is used in SQl statements therefore escaping all quotes making the injection useless.

the function checks if get_magic_quotes_gpc is on to prevent double escaping of quotes.
http://www.ryantetek.com/
Reply With Quote Quick reply to this message  
Join Date: Dec 2004
Posts: 234
Reputation: cancer10 is an unknown quantity at this point 
Solved Threads: 0
cancer10's Avatar
cancer10 cancer10 is offline Offline
Posting Whiz in Training

Re: Data Safe - SQL Injection

 
0
  #6
Feb 27th, 2008
Thanx ryan for the detailed explanation. Appreciate it.

So you think both the functions "get_magic_quotes_gpc" and "mysql_real_escape_string" are being used in all professional forums to prevent injections?

FocusInterview.com - PHP Interview Questions & Answers

IGCHosting - Cheapest Web Hosting
Reply With Quote Quick reply to this message  
Join Date: Aug 2007
Posts: 569
Reputation: ryan_vietnow is an unknown quantity at this point 
Solved Threads: 71
ryan_vietnow's Avatar
ryan_vietnow ryan_vietnow is offline Offline
Posting Pro

Re: Data Safe - SQL Injection

 
0
  #7
Feb 27th, 2008
there are may ways to prevent SQL injection attacks friend.

try to check this link.very helpful to me and I will think will be helpful to you also.

http://www.jonlee.ca/how-to-prevent-...ction-attacks/
http://www.ryantetek.com/
Reply With Quote Quick reply to this message  
Join Date: Jul 2006
Posts: 1,091
Reputation: MattEvans is a jewel in the rough MattEvans is a jewel in the rough MattEvans is a jewel in the rough 
Solved Threads: 63
Moderator
Featured Poster
MattEvans's Avatar
MattEvans MattEvans is offline Offline
Veteran Poster

Re: Data Safe - SQL Injection

 
0
  #8
Feb 27th, 2008
The way to look at injection protection is not to "take the bad things out" but to "only let the good things in". There is, funnily enough, a big difference.

Properly quoting the input text to make it impotent is a reasonable strategy in this case, since you're accepting a wide range of legal input characters; but for a web forum also consider sanitising HTML markup in any uploaded data: since you don't want anonymous people posting working Javscript onto your hosted pages. It's not a risk to your server, or even user's machines -- but it can be used to steal online identities.

As for the professional forum software, most are open source so you could have a look at how they do it. It's a good bet they use either the builtin PHP string escape methods as ryan suggested; or regular expression based sanitisers; or state-based parsers as sanitisers.

Sanitising using stringwide-replace operations as you suggested in the original two examples is not even marginally safe. Consider this input ( to your first sanitiser ):

deldeleteete * from *
Your code will replace the highlighted instance of delete, creating a new delete as it does so, which will be subsequently un-noticed ( since that's how replace works ). Yay!
Last edited by MattEvans; Feb 27th, 2008 at 3:09 am.
Plato forgot the nullahedron..
Reply With Quote Quick reply to this message  
Join Date: Dec 2004
Posts: 234
Reputation: cancer10 is an unknown quantity at this point 
Solved Threads: 0
cancer10's Avatar
cancer10 cancer10 is offline Offline
Posting Whiz in Training

Re: Data Safe - SQL Injection

 
0
  #9
Mar 2nd, 2008
Originally Posted by ryan_vietnow View Post
why not try to use mysql_real_escape_string function?

here I have made one:

php Syntax (Toggle Plain Text) 
  1. function antiinject($var)
  2. {
  3. 	if (get_magic_quotes_gpc())
  4. 		{
  5. 			$var1=stripslashes($var);
  6. 		}
  7. 	else
  8. 		{
  9. 			$var1=$var;
  10. 		}
  11. 	return mysql_real_escape_string($var1);
  12. }

Hope this helps.
Will this function prevent my users to insert php tags into the db?

Like <?php phpingo();?> etc?

FocusInterview.com - PHP Interview Questions & Answers

IGCHosting - Cheapest Web Hosting
Reply With Quote Quick reply to this message  
Join Date: Aug 2007
Posts: 569
Reputation: ryan_vietnow is an unknown quantity at this point 
Solved Threads: 71
ryan_vietnow's Avatar
ryan_vietnow ryan_vietnow is offline Offline
Posting Pro

Re: Data Safe - SQL Injection

 
0
  #10
Mar 3rd, 2008
mysql_real_escape_string is used for SQL statements only.

Here,I have made a function to delete these tags.

php Syntax (Toggle Plain Text) 
  1. function deletephptags($var)
  2. {
  3. //$b get the text after the <?php tag..
  4. list($a,$b)=explode("<?php",$var);
  5. //$c get the text after <?php and before  the ending tag..
  6. list($c,$d)=explode("?>",$b);
  7. //deletes the php tags and functions inside them..
  8. $data=str_replace($c,'',$var);
  9. //return the new string....
  10. return $data;
  11. }

Enjoy!
Last edited by ryan_vietnow; Mar 3rd, 2008 at 2:44 am.
http://www.ryantetek.com/
Reply With Quote Quick reply to this message  
Reply

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Similar Threads
Other Threads in the PHP Forum
Thread Tools Search this Thread



advanced ajax apache api array basics beginner binary broken cakephp check checkbox class cms code combobox cookies cron curl database date datepart display dynamic echo email error file files folder form forms function functions google head href htaccess html image include includingmysecondfileinthechain insert integration ip java javascript job joomla js limit link login loop mail menu mlm multiple mysql oop parse password paypal pdf php problem procedure query radio random recursion regex remote script search server sessions smarty smash sms soap source space sql stored syntax system table traffic tutorial unicode update upload url validator variable video web xml youtube
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC