MySQL Injection.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
mikeashfield
Forum Contributor
Posts: 159
Joined: Sat Oct 22, 2011 10:50 am

MySQL Injection.

Post by mikeashfield »

I've only just heard about this today. How can I see if my PHP code is injectable? I know now about using mysql_real_escape_string so will get all that sorted.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: MySQL Injection.

Post by Celauran »

mikeashfield wrote:I know now about using mysql_real_escape_string so will get all that sorted.
Better still, use prepared statements.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: MySQL Injection.

Post by social_experiment »

mikeashfield wrote:How can I see if my PHP code is injectable?
PM Mordred
Security consulting
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: MySQL Injection.

Post by Mordred »

Or, you know, see if you can find a forum about PHP/security and try posting your code there :)

If you've read a basic tutorial on sql injection, you can also try my article (link in the sig, but the HTML version is broken, so use the plaintext one: http://www.webappsec.org/projects/articles/091007.txt)
There's a link to a zip file inside with all the demo code in the article which you can tweak and use as a playground.
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: MySQL Injection.

Post by Eric! »

Also there are some tools for sql injection testing using metasploit framework. But you should really hire Mordred to test it out properly.
uday8486
Forum Newbie
Posts: 22
Joined: Fri Oct 28, 2011 11:42 pm
Location: Pune, India

Re: MySQL Injection.

Post by uday8486 »

You can check whether your form accepts sql keywords, special characters like " ' " etc. Also some times the injection is done using encoded string which might be a sql query. Also Google on types of SQL injections
jaustin
Forum Newbie
Posts: 2
Joined: Sun Oct 23, 2011 12:31 am

Re: MySQL Injection.

Post by jaustin »

Understand the problem - then use a framework.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: MySQL Injection.

Post by social_experiment »

uday8486 wrote:You can check whether your form accepts sql keywords, special characters like " ' " etc.
It's probably easier to use mysql_real_escape_string().
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply