11-19-2010, 10:35 AM | #1 |
Administrator
Join Date: Jul 2010
Posts: 402
Rep Power: 10 |
Protecting Against MySQL Injections
I just had the not so fun task of auditing some PHP code that had a lot of vulnerabilities. These were all MySQL injection type attacks. I had found them mostly because of the MySQL errors they generated in our logs. If you are writing PHP scripts and you are using MySQL you must sanitize your data! Never assume nobody will know. It is easy to find.
Here is an example, this script will look up widgets of certain category ID: http://www.somesite.com/somePHPscript.php?viewCategory=19 Well, a BAD way to do this: Code:
"SELECT * FROM widgets WHERE category_id = " . $_REQUEST['viewCategory']; Code:
http://www.somesite.com/somePHPscript.php?viewCategory=19%20union%20truncate%20widgets Code:
SELECT * FROM widgets WHERE category_id = 19 union truncate widgets; How would you combat that? Here you go: Code:
"SELECT * FROM widgets WHERE category_id = " . intval($_REQUEST['viewCategory']); What if you are using text? Example: Code:
"UPDATE users set name='$username'" Code:
"UPDATE users set name='" . mysql_real_escape_string($username) . "'" |
Reply With Quote |
11-21-2010, 06:23 AM | #2 |
Junior Member
Join Date: Sep 2010
Posts: 3
Rep Power: 0 |
I'm using mysql_real_escape_string() to sanitize my user input. Jeff what is the difference if you using mysql_real_escape_string to sanitize your first example?
|
Reply With Quote |
11-21-2010, 10:14 AM | #3 |
Administrator
Join Date: Jul 2010
Posts: 402
Rep Power: 10 |
|
Reply With Quote |
11-21-2010, 10:16 AM | #4 |
Administrator
Join Date: Jul 2010
Posts: 402
Rep Power: 10 |
Unless you mean what is the difference between mysql_real_escape_string and mysql_escape_string. The difference is, the mysql_escape_string is deprecated and also mysql_real_escape_string takes a connection handler and escapes the string according to the current character set.
|
Reply With Quote |
11-21-2010, 11:50 AM | #5 |
Junior Member
Join Date: Sep 2010
Posts: 3
Rep Power: 0 |
What I mean is the difference of function between intval() and mysql_real_escape_string(). Anyway quick search about intval() in google explain everything.
From what I learned mysql_real_escape_string() is good enough to sanitize ANY user input. I'm just worried that mysql_real_escape_string() function only works in certain condition. Thanks |
Reply With Quote |
11-22-2010, 07:39 AM | #6 | |
Administrator
Join Date: Jul 2010
Posts: 402
Rep Power: 10 |
Quote:
Code:
$variable = "I am some injected text"; echo intval($variable); 0 So if you are expecting a variable to be an integer such as a timestamp, or an ID #, pass it through intval and no matter what, it will always come out as a number. It eliminates any chance that variable has been injected with any SQL code. If you just used mysql_real_escape_string() you could still cause an error if MySQL is expecting an integer. This does not help you however when you NEED text. Then you use mysql_real_escape_string(). |
|
Reply With Quote |
06-22-2011, 06:59 AM | #7 |
Junior Member
Join Date: Jun 2011
Location: Midwest USA
Posts: 2
Rep Power: 0 |
I am dealing with this right now and am tightening up the holes in my scripting. I'm using PHP to drive it and am wondering what method to use for this project, MySQLi or PDO. It's a subscription site for online ads, and uses PayPal so no SSL is needed on our end, but still important to protect the data of course! Would PDO be better suited or shall I just work out 100% sanitation methods?
|
Reply With Quote |
06-22-2011, 07:54 AM | #8 |
Administrator
Join Date: Jul 2010
Posts: 402
Rep Power: 10 |
You can eliminate most mysql injections with MySQLi's prepare method.
|
Reply With Quote |
01-18-2024, 04:48 PM | #9 |
Junior Member
Join Date: Jan 2024
Posts: 1
Rep Power: 0 |
For a subscription site dealing with online ads and PayPal, would you recommend using MySQLi's prepare method or PDO for protecting against SQL injection, and why?
|
Reply With Quote |
Reply |
Tags |
mysql best practices
,
|
Thread Tools | |
|
|