1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

SQL injection attacks

Discussion in 'Databases' started by Triexa, Dec 4, 2006.

  1. #1
    I hear more and more about SQL injections... to better educate myself and others, this is kind of a 2-part post I guess.

    1) What are some of the basic (or advanced? hehe) a programmer/admin should do to protect against injections?

    2) I am not a hacker and have never done anything like that. Is there any sort of way to test for injection vulnerabilities, or something along those lines (besides pointing a hacker to your site and letting them have their way, lol)?
     
    Triexa, Dec 4, 2006 IP
  2. krakjoe

    krakjoe Well-Known Member

    Messages:
    1,795
    Likes Received:
    141
    Best Answers:
    0
    Trophy Points:
    135
    #2
    1. mysql_real_escape_string
    2. limit privileges on databases ( where you can )
    3. striplashes(trim()) form input
    4. try to use the correct form elements for the correct datatype

    In order of importance, I woud say...
     
    krakjoe, Dec 4, 2006 IP
  3. JEET

    JEET Notable Member

    Messages:
    3,825
    Likes Received:
    502
    Best Answers:
    19
    Trophy Points:
    265
    #3
    SQL injection happens when some hacker tries to access your database using your forms.
    Validate all input you get from forms and you should be safe.
    Those 4 points above would cover most of it. :)
     
    JEET, Dec 4, 2006 IP
  4. T0PS3O

    T0PS3O Feel Good PLC

    Messages:
    13,219
    Likes Received:
    777
    Best Answers:
    0
    Trophy Points:
    0
    #4
    5. Take back-ups daily. One day the shit will hit the van BIG time.
     
    T0PS3O, Dec 4, 2006 IP
  5. Seiya

    Seiya Peon

    Messages:
    4,666
    Likes Received:
    404
    Best Answers:
    0
    Trophy Points:
    0
    #5
    Validating every kind of input you can get should work, ie, if u expecting text only or numbers... make it so that if u get anything else u throw an error.
     
    Seiya, Dec 4, 2006 IP
  6. walshy

    walshy Banned

    Messages:
    124
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #6
    walshy, Dec 4, 2006 IP
  7. T0PS3O

    T0PS3O Feel Good PLC

    Messages:
    13,219
    Likes Received:
    777
    Best Answers:
    0
    Trophy Points:
    0
    #7
    Image verification has nothing to do with it. That would only prevent automated attempts but for a proper attack it would require manual attention anyway - they'd punch in whatever the captcha throws at them.
     
    T0PS3O, Dec 4, 2006 IP
  8. mnymkr

    mnymkr Well-Known Member

    Messages:
    2,328
    Likes Received:
    32
    Best Answers:
    0
    Trophy Points:
    120
    #8
    well how exactly do they access it. i just caught this off topic. I am very interested.
     
    mnymkr, Dec 4, 2006 IP
  9. krakjoe

    krakjoe Well-Known Member

    Messages:
    1,795
    Likes Received:
    141
    Best Answers:
    0
    Trophy Points:
    135
    #9
    securiteam.com/securityreviews/5DP0N1P76E.html

    Look @ that for a proper explanation of how and what
     
    krakjoe, Dec 5, 2006 IP
  10. linkstraffic

    linkstraffic Well-Known Member

    Messages:
    388
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    133
    #10
    + striptags...

    I do that + backups to avoid any type of shit.
     
    linkstraffic, Dec 5, 2006 IP
  11. Coupons

    Coupons Active Member

    Messages:
    889
    Likes Received:
    42
    Best Answers:
    0
    Trophy Points:
    70
    #11
    I'm always afraid of using custom made scripts because I never know if they are secured against these things.
    With known and tested scripts, most of them have already patched most known vulnerabilities...
     
    Coupons, Dec 5, 2006 IP
  12. krakjoe

    krakjoe Well-Known Member

    Messages:
    1,795
    Likes Received:
    141
    Best Answers:
    0
    Trophy Points:
    135
    #12
    A programmer worth thier price will think of these things from the first <?

    IMO a big problem is when people use tutorials to create scripts, tutorials never include information like this because it would make them all pretty boring to read if they had to go into details about sql injections and general code practices.
     
    krakjoe, Dec 5, 2006 IP
  13. mikkom

    mikkom Active Member

    Messages:
    266
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    58
    #13
    There is only one way to protect yourself against injection attacks: Escape everything. And you really, really should do this because otherwise someone will do:

    your code: "select * from X where Y=parameter.Z"

    what will happen if some evil person will ask "..?Z=1; delete from users;"
     
    mikkom, Dec 5, 2006 IP
  14. discoverclips

    discoverclips Peon

    Messages:
    491
    Likes Received:
    15
    Best Answers:
    0
    Trophy Points:
    0
    #14
    use mysql_real_escape_string
    If the input (any input, even hidden fields in a form) needs to be a number, then make sure you only allow numbers!

    filter any user input with a regex filter, like for php:
    preg_replace('/[^0-9A-Za-z ]/', "", $input);
     
    discoverclips, Dec 5, 2006 IP
  15. mnymkr

    mnymkr Well-Known Member

    Messages:
    2,328
    Likes Received:
    32
    Best Answers:
    0
    Trophy Points:
    120
    #15
    I am sorry I am just a dummy at this. But can someone give me a very specific example of an easy SQL injection
     
    mnymkr, Dec 5, 2006 IP
  16. T0PS3O

    T0PS3O Feel Good PLC

    Messages:
    13,219
    Likes Received:
    777
    Best Answers:
    0
    Trophy Points:
    0
    #16
    Your code:

    login.php

    
    $sql = "SELECT COUNT(*) FROM users WHERE username = '" . $_GET['username'] . "' AND password = '" . $_GET['password'] . "'";
    $result = mysql_query($sql);
    //pseudo code from here
    if ($count == 1) {
    log in successful
    } else {
    error, log in again, credentials incorrect
    }
    
    PHP:
    See that as a typical (bad and oversimplified) log in routine.

    Now go to login.php?username='' OR 1=1;

    That makes the SQL:

    SELECT COUNT(*) WHERE username='' OR 1=1;

    Considering 1 is always 1, they now logged in without a password or username because you didn't escape the apostrophe from the $_GET

    That's how it works in principle.

    Ideal counter measure:
    In the log in form you have JavaScript that checks input as they type. If it's a hack attempt, via AJAX, before they even submit the attempt, you hack their IP back, scan all ports, install all sorts of crap. All in real time as they type :) As soon as you spot an untrusted character you unleash your botnet on their IP and cause a Denial of Service so they can't even hit the login button.
     
    T0PS3O, Dec 5, 2006 IP
    ErectADirectory likes this.
  17. mnymkr

    mnymkr Well-Known Member

    Messages:
    2,328
    Likes Received:
    32
    Best Answers:
    0
    Trophy Points:
    120
    #17
    wow just when i think i am learning something i get blown out of the water. so frustrating yet interesting.
     
    mnymkr, Dec 5, 2006 IP
  18. PayItForward

    PayItForward Peon

    Messages:
    752
    Likes Received:
    43
    Best Answers:
    0
    Trophy Points:
    0
    #18
    Striptags doesn't prevent SQL injection, there are 100s of way to do SQL injection, you are only protecting yourself from a small percentage of them with striptags. Using a regular expression to make sure you are getting only the information you want(ie: numbers, letters+numbers, url) is the only way to protect yourself 100%.
     
    PayItForward, Dec 5, 2006 IP
  19. walshy

    walshy Banned

    Messages:
    124
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #19
    T0PS3O Don't be so quick to dissmiss other peoples suggestions. Do you not agree that using image verification will stop those hackers using automated systems to find sites with PHP form security vunrabilities?

    This type of automated attack would account for a high proportion of the header injection attacks, they use their automated systems to first determin if there is a vunrability, if they find such a "backdoor" they may then decided to try a manual attack.

    My phylosphy is if the hacker can't see your contact form as being insecure, they will move on to an easier target. Therefore with image ver you are going a long way to protecting yourself.

    Of course other methods of validation could be used as a backup.
     
    walshy, Dec 7, 2006 IP
  20. Silver89

    Silver89 Notable Member

    Messages:
    2,243
    Likes Received:
    72
    Best Answers:
    0
    Trophy Points:
    205
    #20
    so if you use php but no forms then your site is safe/er ?
     
    Silver89, Dec 7, 2006 IP