SQL injection attacks

I'm only saying that CAPTCHA's in itself have nothing to do with SQL Injections. And they can't prevent GET manipulation anyway. So that's why I dismissed the idea. Not just "all other people's ideas".

So in reply to Dan Thorpe, no it's not just to do with forms albeit a major part of it indeed because of bad tutorials out there.

Go to any website where you find parameters in the URL like id=35 or sort=a and stick an apostrophe in there. Bad sites will instantly choke and throw up errors.

 

oh mine doesnt do that, if the page doesnt exist special page is shown and all characters work in the url

 

Sounds like you have it all covered.

BTW Example, note the ':

http://www.dripirrigation.com/index.php?cPath=36&page=1&sort='3a

It's not a full blown injection risk but it illustrates the point.

 

Your site can be perfectly safe with forms, you just have to spend a little longer with the coding to make it so, slapping code you find in tutorials and php.net on your site just won't do, you gotta know what you're doing....

 

haha what if someone put a typo in that box tops30 was talking about, an honest mistake but they'd get screwed

 

You have to remove any special characters and validate user-submited information, always.

You do not need to be a hacker to perform a SQL injection, you only need to understand SQL sintax. I have found some BIG sites with validation issues that I have been able to gain access to (with my scarce hacking knowledge).

Here are some guides you might find useful to test your site for validation flaws:
http://www.hackthissite.org/articles/read/535
http://www.hackthissite.org/articles/read/336

 

always use str_replace("'", "''", $variable_name) when passing user suplied data to sql. This replaces ' wiht '' the sql escape code for '. This prevents an injection attack of the user modifying the sql query because he cannot break out using a '.

 

Good suggestion - I would think its also worth trying out this kinda thing:
http://bcable.net/project.php?sqlier

Hope this helps

 

I don't directly send the input to be executed. Trim it.

 

This is my site http://www.mknexusonline.com it's hacked from last 3 days with SQl injected if someone expert then plz safe my site

http://img.photobucket.com/albums/v482/MKRayden/141.jpg

 

I use ASP...

Use things like:

dim tmpInt
tmpInt = instr(1, strUserInput, "<")
if tmpInt <> 0 then response.write("There is an HTML tag!")

Code (markup):

or

strUserInput = replace(strUserInput, "<", "(") ' Now their < has turned into a (
strUserInput = replace(strUserInput, """", "") ' Now we got rid of any quotes

Code (markup):

 

i am using VBulletin

 

When keeping the place locked down isn't enough...

There will come a day when every security specialist has their own botnet, just in case the boogie man comes. Isn't that like the right to bear arms?

 

did you update your vbuliten to the lastest version?

 

Yes !

did you update your vbuliten to the lastest version?

 

i did with 3.6.8 but they hacked again but now my 1 good friend upload my backup old so now again i have 3.6.7 and i don;t thing VB latest is more secure becouse there is alots of website who is still using Old vb version their site not hack now however my site is back

 

we should make a list of the top 10 tips here

 

I just wrote a simple in / out preparation function for use in PHP:

function prepare_input($var)
{
$var = (get_magic_quotes_gpc())? stripslashes($var) : $var;
return mysql_real_escape_string(htmlspecialchars(trim($var)));
}

function prepare_output($var)
{
return stripslashes($var);
}

Code (markup):

So when you're taking user input, first run it through prepare_input. If you're going to display anything based on user input, run it through prepare_output first. I'm using it in something I'm developing and so far it seems effective. It defeats SQL injection and cross-site scripting assuming you remember to validate ALL input You cannot trust a single thing - HTTP_HOST, cookies, useragent, anything.

(Edit: Added in that line to strip slashes if magic quotes is on, for those who have it enabled in php.ini)

 

Use mysql_real_escape_string if you have encoded strings but if you have just simple english alphabet strings use only mysql_escape_string

The difference is the active connection being passed or used in mysql_real_escape_string while mysql_escape_string doesn't need any connection.

 

Type cast things you can like numbers and such from forms and ALWAYS escape input elements.