preventing SQL injection

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
an123
Forum Newbie
Posts: 3
Joined: Fri May 11, 2007 6:54 am

preventing SQL injection

Post by an123 »

Hello,
I am doing the Security Audit of the web application in which if I enter [b]' (single quote)[/b] in a particular field on a PHP Page and as a result [b]\' (backward slash)[/b] is inserted. That means either of the two functions are used

1. addslashes()
2. mysql_real_escape_string()

Now I wanted to know, if I can break the statement inspite of using these statements and can test SQL Injection attack on a PHP web page.

Thanks in advance
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

If you're asking us to tell you how to perform an SQL injection attack then it isn't going to happen.

If I understand you correctly, you mean that the output on the webpage has the slashes in it? To remove that just use stripslashes().
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Re: preventing SQL injection

Post by Oren »

an123 wrote:That means either of the two functions are used

1. addslashes()
2. mysql_real_escape_string()
Or...

3. magic_quots_gpc is On
an123
Forum Newbie
Posts: 3
Joined: Fri May 11, 2007 6:54 am

Query: Preventing SQL Injection attack

Post by an123 »

Hello,
I do not have access to coding of the PHP page, then if it can be possible to use [b]stripslashes()[/b] ? If yes, then how?

Thank you
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: Query: Preventing SQL Injection attack

Post by Chris Corbyn »

an123 wrote:Hello,
I do not have access to coding of the PHP page, then if it can be possible to use stripslashes() ? If yes, then how?

Thank you
:? You don't have access to the code? Are you trying to be a hacker or something? We're not going to help you compromise someone else's system.
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

lol...
Hello officer! I was hoping you could tell me where to find the nearest crack house to score a hit. Oh, you can't help me with that? Okay, well I have this TNT that I found, I was also hoping you would have some blasting caps on you...WAIT! why are you handcuffing me?!?!
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

You've come to the wrong forum dude.

Psst: try sla.ckers.org instead
an123
Forum Newbie
Posts: 3
Joined: Fri May 11, 2007 6:54 am

Query: SQL Injection attack

Post by an123 »

Hello,
I am in the right forum. I am not a Hacker, I am an Auditor and doing Web Application Security Audit of the Websites without code review. That is why I am exploring the possiblities of attack so that I give proper recommendations in my Security Audit report.

Also I wanted to know if the SQL injection attack can be possible in PHP by manipulating the parameters in Browser's address bar? If the same functions as described above can also be used for such parameters?

Thank you
User avatar
Stryks
Forum Regular
Posts: 746
Joined: Wed Jan 14, 2004 5:06 pm

Post by Stryks »

Surely a Security Auditor performing a security audit would know and understand the mechanics of these issues far better than most on this forum.

If it were me and I found myself unsure of what facts should go into a Security Audit report for a client, my first recommendation would be along the lines of:

"I believe that this site would benefit from a review of security by a professional php security expert."
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

For a security auditor you don't really seem to understand the principles of SQL injection :? Reguardless, any form of user input should be validated and checked, that includes the url ($_GET), forms ($_POST/$_GET), and $_SERVER variables.

At minimum, one should pass all data through mysql_real_escape() and trim() when dealing with SQL, and when outputting content htmlspecialchars()
Post Reply