Page 1 of 1

SQL injection test

Posted: Thu Aug 26, 2010 6:13 am
by Solgryn
Hello,

About 3-4 months ago I made a php site for my games and it got SQL injected by some random people :/
I deleted it and started working on it here a few days ago. Now I think I sanitized my $_POST stuff right but I'm unsure how if it works,
only real way to test it is to make an SQL injection attack yourself I suppose...

I made a code sortof like this:

Code: Select all

function sanitize($data){
if(get_magic_quotes_gpc()){
$data = stripslashes($data);
}
$data = mysql_real_escape_string($data);
return $data;
}
and when I made the $_POST I made a string called $comment and set it to sanitize($_POST(['comment']) which should work?

I wanna ask if someone here can see if it's working? If you tried doing SQL injection attacks before...
If it doesn't work I wanna ask if I could get some help xD.

My site is at http://solgryn.org/php/ go into a game and scroll down for the comment section (WIP)

Thanks in advance

Re: SQL injection test

Posted: Fri Aug 27, 2010 2:02 am
by cpetercarter
I have tried injecting some simple Javascript, but happily your webpage encodes the opening and closing chevrons, so the script displays but does not run. However, there is no need to allow people to put html tags in their comments, so why not strip_tags() as well.

Re: SQL injection test

Posted: Fri Aug 27, 2010 2:42 am
by Solgryn
cpetercarter wrote:I have tried injecting some simple Javascript, but happily your webpage encodes the opening and closing chevrons, so the script displays but does not run. However, there is no need to allow people to put html tags in their comments, so why not strip_tags() as well.
Yea I disabled HTML tags with htmlentities(), dunno if that's the same. But you can no longer post HTML stuff in the comments.

Anyways, thanks for your help

Re: SQL injection test

Posted: Fri Aug 27, 2010 3:35 am
by timWebUK
strip_tags will actually remove any HTML tags from a post entirely. Useful as a defense in depth measure. You could use it in unison with HTML entities.

Re: SQL injection test

Posted: Fri Aug 27, 2010 10:29 am
by Mordred
If you only plan to run things from get/post/cookies/request through this function, it is fine. Otherwise, you'll have issues (not security ones) with slashes being stripped.

http://www.logris.org/security/the-curs ... gic-quotes

Re: SQL injection test

Posted: Sun Sep 12, 2010 6:36 am
by kaisellgren
strip_tags() <-- that's a horrible function and you want to avoid using it. Please whatever you do just do not run that strip_tags(), because it aggressively modifies user-submitted data. Oh yes, if phpBB did that, my entire post would have gone like poof :? (try it if you don't believe me)

Re: SQL injection test

Posted: Mon Sep 13, 2010 3:18 am
by timWebUK
What's the best alternative?

Re: SQL injection test

Posted: Mon Sep 13, 2010 11:14 am
by kaisellgren
Either encode the whole output and let it be or use something like HTMLPurifier which does things a lot better than strip_tags().

Re: SQL injection test

Posted: Mon Sep 20, 2010 1:43 am
by pkphp
hey there, i need to say you have got a good idea. But keeping SQL injection away form your site is not a easy way.
I suggest you can read the code in a shopping cart scripts called Eclime or an forum projects named Discuz.

They have the best function to keep it away.