matto
May 1 2006, 04:00 AM
| | Hey there trap17 community.
As a re-instated (not officially or anything) PHP programmer (i'm about to get started on the first site I've designed in about 2 years..), but never really being into taking care of security issues in the past, I'd like some help in figuring out what SQL Injections are and how I might prevent them from taking place on my website. I know they have to do with putting some symbols into forms on your page, but.... what can specifically be done to counter them?
And I know that there are some XSS things too that serve as some security issues... what exactly are these, and how might they be prevented?
Thank you =D |
Reply
leeleelee
May 1 2006, 04:05 AM
Sounds too complicated for me. What is the difference and advantage of using PHP over HTML for sites
Reply
Saint_Michael
May 1 2006, 04:09 AM
besides it being off topic to answer your question php makes websites more dynamic and also php can be used to make hard work easy if you know what to do. but topic on hand best way to find out how to prevent sql injections is go to security websites and see what they have for patches and what not.
Reply
matto
May 1 2006, 04:11 AM
do you have any you would be so kind as to recommend?
Reply
Saint_Michael
May 1 2006, 04:24 AM
Well their is alot of sites but he main issue is that their are patches for anything and everything related to php/mysql you would have to be very speficic in your searches to find hte right patches to correct the problem. One website I found. http://www.sqlsecurity.com/best thing to do is google sql injections and click the first 20 sites and see what they have and what not.
Reply
jlhaslip
May 1 2006, 04:29 AM
The first rule of accepting input from a user is "NEVER Trust User Input". Use techniques like stripping the html tags and escaping "special characters" out of their input before printing or storing the information, altering br's to newlines, basicly assume there is something dangerous to your site in the input and inoculating it before it has a chance to do any damage. Also, ensure that the access to your data and databases is never revealed. Disable error reporting so errors don't display on a client's screen, remove the files from web accessible paths, using methods that do not reveal the information on a "view source". These are some of the most common techniques used for securing the site.
Reply
WindAndWater
May 1 2006, 05:27 AM
To build on what jlhaslip said, the standard way to do all that is CODE $safeVar = stripslashes(strip_tags($unsafeVar)); It's no perfect, but it does protect you against most injection attacks. If you're considering having any kind of username/password login the only really secure way to do it is to use SSL. However, if you can't do it that way, you can use a javascript implimentation of sha256 (or failing that sha1) to encode the password, after it's added to a predefined key. However, the encoded password can still be intercepted, and used to gain access to a user's account. Under no circumstances use md5 encryption for anything other than generating hashtables.
Reply
Kioku
May 14 2006, 10:12 PM
I seriously doubt there's any 100% safe way to protect yourself from attacks like that. jlhaslip raises some good points. It's impossible to completely protect yourself, in my opinion at least. There's always some vulnerablity.
Reply
shadowx
May 16 2006, 08:29 PM
As i understand sql injections it is a way to send a modifed query to the database, ithink the simplest and easiest to protect against is writing a query into the url of the querying page. eg: the proccessing page is proccess.php the normal query is "SELECT * FROM here WHERE blah=$blah" some pages would store variables in the url or use the GET method so for example: proccess.php?blah=something_else a VERY simple sql injection would be loading the page as: proccess.php?blah=* then all database entried would be retreived, a simple way to protect against that is using the above methods to protect against special characters being used and any sensitive variables being sent from a form using the POST method, that way no-one can see them and use them for anything and if they try entering variables in the url they will be ignored. Also what i have done is because i use POST ive told my php to only load the variables from the POST variables QUOTE $var2 = $_POST['var1'];
rather than
$var2 = $var1;
i remember with a previous host i could use the second option of not including the POST or GET arrays as it would select them automatically, i thought that could be a problem if someone submits a bad value in the url and it gets selected over the good variable. i hope that all made sense, just always remember to keep regular backups of files and databases, keep good logs running to track bad users and report them if you need to and let people know you are watching them and will take action. 
Reply
Bradley
May 16 2006, 09:00 PM
There used to be an extremely dangerous one with the old versions of phpBB where it would be like CODE ?u=2 where the ' u ' stood for user, you could replace the number 2 with sql queries and insert and retrieve rows to and from the database. This has been fixed. Just make sure you use change characters into values. EX CODE > would become CODE > . Secure your forms, make sure they were submitted from your site, not typed in. Look around on google for php security. If you're worried about forum or cms software, most of the exploits have been found and identified so ya wont need to worry about them. Just check your coding if you're doing it manually
Reply
Latest Entries
rsf
Jan 24 2007, 04:56 AM
always use addslashes() to usernames to prevent sql injections even if your code doesn't allow them, because you never know when you'll accidentally type error prone code and not realize it. Also don't allow users to use their scripts on your site. I don't know why you would do this, but this is something you should definately NOT do. <? include($_GET['url']); ?> if you do something like that anyone can include their site into your url and run scripts that query your database for passwords, steal your scripts, whatever.
Reply
QuickSilva
Jan 18 2007, 04:12 PM
Oh thank you. I also didn't really know how to fix these security and now you have lightened the scene. Why do people actualy want to wreck people's websites which they have taken a long time to make? This is a code which I just thought up of looking up at the other posts. Just put this at the top of a page, or better, if you have like a template system, or include a page on each page, just put it in there: CODE $_POST = stripslashes(strip_tags($_POST)); Have a great day! -Tom
Reply
daler
Dec 25 2006, 07:57 AM
The following code it blatantly stolen borrowed from http://www.php.net/manual/en/function.mysq...cape-string.phpCODE <?php
// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
OR die(mysql_error());
// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
?> On a site a few years back for my boyscout troop, I used the mysql_real_escape_string on everything the user potentially had access to, including every sql-query which included either the username or password. In fact, I might have used it on some things that really didn't need it, but then again I think a few extra CPU cycles in the sake of security on a low traffic site won't hurt much.
Reply
keri-j
Oct 8 2006, 08:10 PM
Ahhh, the fun of logging in to stupid fansites using things like "hi' or 1=1--"
For the previous person who didn't know why it was "1=1", 1=positive, yes. it's 1=1 because it's saying that the input is the same as the password/username or other field.
It's a shame you can't write tutorials on this kinda thing here in trap17, you can on totse.com
Reply
eirikureiriksson
Jul 28 2006, 03:09 PM
Adding my five cents to what already has been said… 1. Do not build SQL strings directly from user input, “select id from user where username = (input) and password = (input)”. The simplest way would be striping the input of any comment marks, line ending marks and quote/string marks and place the input inside a string quotes, “select id from user where username = ‘(input)’ and password = ‘(input)’”. 2. Validate all input and limit it to the right data type, character set, length and values. 3. Remove all unnecessary permissions from all database users. 4. Use account lock-out for repeated failed log-ins. 5. Use views containing just the necessary fields for each query, do not select directly from the tables.
Reply
Similar Topics
Keywords : sql, injections, prevent
- Ways To Destress And Prevent Yourself From Bingeing
(5)
How We Can Prevent Something Like The Holocaust From Ever Happening Again
(4) Well, today in my language arts class, we studied world war 2 propaganda, then we had to right an
eleven sentence paragraph over how we could prevent it from happening again and what specific groups
of people to focous education on. This isn't exactly my eleven sentence paragraph, but here
are some ideas. Topics of education - Well, seeing as how some of the countries of the world are
trying to make it seem as the holocaust didn't exist OR they're trying to make it look not
as bad as it was, or they are not teaching it how it occoured. I think that we ....
Does Pro Active Work ?
prevent acne (8) Does pro active really work ? im curious coz i want to buy it /smile.gif"
style="vertical-align:middle" emoid=":)" border="0" alt="smile.gif" />....
How To Prevent My Site From Being Hacked?
(5) I have a website on Joomla platform and I am new to programming world..I want to know cautionary
steps that I should take before releasing my site .....
Change In Invision Gallery Settings
to prevent unwanted spam comments (2) Changes to Invision Gallery was made today after finding out TrueFusion and mine were bombarded with
spam comments. From now on, GUESTS are not allowed to view/comment on your album/image unless they
register with Trap17.com. This will capture at least their registration information and then I can
do something to block them from spreading more spam in our board. Please use the REPORT button to
notify any spam and inappropriate comments left to your album(s). Only admins can modify the
gallery. Thank you all. /smile.gif" style="vertical-align:middle" emoid=":)" border....
Prevent People From Linking To Your Downloads
(5) Ever find that found some people are listing items, images and tuts and linking directly to the
download url (those that are like image.php?id=0). To prevent this, you can add a piece of code to
the download pages that checks which page referred them to the download page: if it's your
domain, it downloads the file normally, if it's not, it will redirect to your home page instead.
Important: Not all browsers log referrers, so this won't work depending on the browser the
visitor uses and this method can be also bypassed, but it will work for for the major part....
Check Referrer To Prevent Linking Yours From Other Sites
Check referrer with Php and Mysql (8) Check Referrer Using Php To Prevent People Linking To Your Downloads From Other Sites Ever
find that found some people are listing items, images and tuts and linking directly to the download
url (those that are like my photoshop tutorial.php?id=0), which is a .php to count the number of
downloads. To prevent this, you can add a piece of code to the download pages that checks which page
referred them to the download page: if it's my domain, it downloads the file normally, if
it's not, it will redirect to my home page instead. Important : Not all browser....
Do You Like Being Given Injections And Blood Tests?
(18) NO! I hate having a needle being poked into me. Some people at my school say that they like it
but I know that they are just trying to be cool (and failing).....
What Is An Irc Take-over
and what you can do to prevent it (14) IRC stands for "Internet Relay Chat", it's basicly the largest way to communicate with each
other using the internet, it's also a lot older as programs / services like AIM and MSN
Messenger. An IRC server is a computer where IRC channels are hosted, IRC channels are some sort of
chat rooms. IRC is used widely by organisations and clans all over the world A Take-Over basicly
means taking over / stealing someone else's IRC channel, IRC channels are free to create but
once you get lot's of users "idling" (Sitting in your channel) you don't want your cha....
Prevent Creation Of Thumbs.db File
How can i? (3) Well, the thumbs.db file really annoys me. I don't need it at all, and when uploading, I always
need to delete the file manually. Is there a way to disable the automatic creation of that file? Or
do I have to delete all of them manually?....
[php] Prevent Copying A Template For Each New Page
(0) This code means every time you make a page you don't need to copy and paste the HTML code for
your template, this can make editing links, especially those that appear on every page, and pages a
lot easier. 1. Make sure that your template is coded so it is fully expandable. 2. Insert this
code into the content area of your template, and save the file as index.php, instead of .html
QUOTE $val = $_GET ; // Replace id with whatever you want to use, eg ?id=page $val
.= ".html"; // Makes the filename complete so if you called ?id=index, it would be i....
Best Way To Stop Sql Injections
sql injection (11) I was wondering on tips on the best way to set up your php site if you had a game to make it where
sql injection didn't work on your game.....
Prevent Form Activation/deactivation C#
(0) Is there a way to prevent the activation/deactivation of a form? I have tried intercepting the
WM_ACTIVATE message but I was not able to successfully cancel it. The scenario that this is needed
for is a parent form creates multiple child forms each hosting a axWebbrowser. I would like to have
it so that the only way that a form can be activated is if a user clicks that form. In the case of
the browser when it refreshes I do not want it to activate the form it's on unless it's
already active. If I need to clarify anything or provide more information please let....
Form Problem
prevent submit if value="examplevalue" (6) i would like to have a code inserted to a form that prevents submitting if one of the inputfields
(in particular) contains the value: "examplevalue" . Does anyone know the solution to this? btw:
the texts in other inputfields shouldn't be cleared if possible.. thanks in advance
/cool.gif' border='0' style='vertical-align:middle' alt='cool.gif' /> ....
Excluding Your Site From Showing Up On Search Engines
Or how to prevent stalkers from finding your personal site. (0) Firstly, I suppose there are very few people here who would want to do this. Most people want
their sites to be listed on search engines, and these are probably the ones thinking that I must
have a loose screw or something. But if you use your site for personal blogging and want to keep it
open to friends and yet prevent your privacy from being infringed upon, this is worth looking at.
What you need: 1. A text editor. Notepad works fine for me. 2. Coffee. (Not because you're going
to stay up all night, but because I like to drink coffee for any and every reason po....
Crimes?
how we can prevent them? (12) do u think there is a way to prevent Crimes in the world? /dry.gif' border='0'
style='vertical-align:middle' alt='dry.gif' /> the amount of rimes in the world is increasing very
fast....
Looking for sql, injections, prevent
|
|
Searching Video's for sql, injections, prevent
|
advertisement
|
|
Jul 27, 2008
