I hear more and more about SQL injections... to better educate myself and others, this is kind of a 2-part post I guess. 1) What are some of the basic (or advanced? hehe) a programmer/admin should do to protect against injections? 2) I am not a hacker and have never done anything like that. Is there any sort of way to test for injection vulnerabilities, or something along those lines (besides pointing a hacker to your site and letting them have their way, lol)?
mysql_real_escape_string limit privileges on databases ( where you can ) striplashes(trim()) form input try to use the correct form elements for the correct datatype In order of importance, I woud say...
SQL injection happens when some hacker tries to access your database using your forms. Validate all input you get from forms and you should be safe. Those 4 points above would cover most of it.
Validating every kind of input you can get should work, ie, if u expecting text only or numbers... make it so that if u get anything else u throw an error.
Use some kind of image verification, this is a good easy to implement script for either WordPress or standard PHP. http://www.dagondesign.com/articles/secure-php-form-mailer-script/ Header injection is a pain, this is a good way to combat it.
Image verification has nothing to do with it. That would only prevent automated attempts but for a proper attack it would require manual attention anyway - they'd punch in whatever the captcha throws at them.
I'm always afraid of using custom made scripts because I never know if they are secured against these things. With known and tested scripts, most of them have already patched most known vulnerabilities...
A programmer worth thier price will think of these things from the first <? IMO a big problem is when people use tutorials to create scripts, tutorials never include information like this because it would make them all pretty boring to read if they had to go into details about sql injections and general code practices.
There is only one way to protect yourself against injection attacks: Escape everything. And you really, really should do this because otherwise someone will do: your code: "select * from X where Y=parameter.Z" what will happen if some evil person will ask "..?Z=1; delete from users;"
use mysql_real_escape_string If the input (any input, even hidden fields in a form) needs to be a number, then make sure you only allow numbers! filter any user input with a regex filter, like for php: preg_replace('/[^0-9A-Za-z ]/', "", $input);
I am sorry I am just a dummy at this. But can someone give me a very specific example of an easy SQL injection
Your code: login.php $sql = "SELECT COUNT(*) FROM users WHERE username = '" . $_GET['username'] . "' AND password = '" . $_GET['password'] . "'"; $result = mysql_query($sql); //pseudo code from here if ($count == 1) { log in successful } else { error, log in again, credentials incorrect } PHP: See that as a typical (bad and oversimplified) log in routine. Now go to login.php?username='' OR 1=1; That makes the SQL: SELECT COUNT(*) WHERE username='' OR 1=1; Considering 1 is always 1, they now logged in without a password or username because you didn't escape the apostrophe from the $_GET That's how it works in principle. Ideal counter measure: In the log in form you have JavaScript that checks input as they type. If it's a hack attempt, via AJAX, before they even submit the attempt, you hack their IP back, scan all ports, install all sorts of crap. All in real time as they type As soon as you spot an untrusted character you unleash your botnet on their IP and cause a Denial of Service so they can't even hit the login button.
wow just when i think i am learning something i get blown out of the water. so frustrating yet interesting.
Striptags doesn't prevent SQL injection, there are 100s of way to do SQL injection, you are only protecting yourself from a small percentage of them with striptags. Using a regular expression to make sure you are getting only the information you want(ie: numbers, letters+numbers, url) is the only way to protect yourself 100%.
T0PS3O Don't be so quick to dissmiss other peoples suggestions. Do you not agree that using image verification will stop those hackers using automated systems to find sites with PHP form security vunrabilities? This type of automated attack would account for a high proportion of the header injection attacks, they use their automated systems to first determin if there is a vunrability, if they find such a "backdoor" they may then decided to try a manual attack. My phylosphy is if the hacker can't see your contact form as being insecure, they will move on to an easier target. Therefore with image ver you are going a long way to protecting yourself. Of course other methods of validation could be used as a backup.