Protect against sql injection attacks

Discussion in 'Security' started by z3nyt, Jan 18, 2009.

  1. #1
    hi,

    How can I found out if our website got hacked with the silent sql injection attack?
     
    z3nyt, Jan 18, 2009 IP
  2. UseShots

    UseShots Peon

    Messages:
    244
    Likes Received:
    16
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Are you interested in only this particular type of a hacker attack? And don't care if your site got hacked using other types of attacks? ;-)
     
    UseShots, Jan 19, 2009 IP
  3. devsn

    devsn Active Member

    Messages:
    156
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    70
    #3
    find all GET variables in the urls and replace them with "-1" or "(single quote)"

    if it's your site.. get someone to audit the script.. it's the best way of finding vulnerabilities..
     
    devsn, Jan 23, 2009 IP
  4. awesometbn

    awesometbn Peon

    Messages:
    268
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Continually review your server logs. I have had great results by targeting traffic to specific geography, and blocking everything else. For example, if your site is meant for USA, block all other countries using .htaccess on Apache. Another idea is to start using a web application firewall like mod_security or dotdefender. Then you can make rule specific changes to block these types of attacks.
     
    awesometbn, Jan 23, 2009 IP
  5. olddocks

    olddocks Notable Member

    Messages:
    3,275
    Likes Received:
    165
    Best Answers:
    0
    Trophy Points:
    215
    #5
    just check the POST variables with mysql_real_escape_str() in PHP. It will prevent injection attacks.
     
    olddocks, Jan 24, 2009 IP
  6. justdoit1

    justdoit1 Peon

    Messages:
    100
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #6
    not mysql_real_escape_str().
    It's mysql_real_escape_string()


    Check POST/GET/COOKIE/SESSION like -> mysql_real_escape_string($_POST['id'])
     
    justdoit1, Jan 25, 2009 IP
  7. engineerroy2008

    engineerroy2008 Member

    Messages:
    192
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    33
    #7
    Will this work ? Is there any other method to find our the SQL injections ? Is this applicable to general sites with small data base also?
     
    engineerroy2008, Jan 25, 2009 IP
  8. pitagora

    pitagora Peon

    Messages:
    247
    Likes Received:
    9
    Best Answers:
    0
    Trophy Points:
    0
    #8
    yes, but not just POST but also GET, cookies and anything you use in an sql query. Your entire code needs to be audited for security problems. Sql injections are not the only vulnerability that can affect you. Find a professional and let him do the job.
     
    pitagora, Jan 25, 2009 IP
  9. justdoit1

    justdoit1 Peon

    Messages:
    100
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #9
    As pitagora say, there are hundreds of vulnerability types in web application.
    If you make money/reputation with your sites, you should make them secure.

     
    justdoit1, Jan 26, 2009 IP