SQL Injection Attack provention help

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
shiningtor
Forum Newbie
Posts: 4
Joined: Fri Sep 21, 2007 11:39 am

SQL Injection Attack provention help

Post by shiningtor »

I'm getting really bogged down over SQL Injection Attack provention. The more I read the worst it gets.

Is it only INSERT and SELECT querys that can suffer SQL Injection Attacks?

What about UPDATE? Do you use mysql_real_escape_string() for data being updated?

I've been looking at http://uk.php.net/mysql_real_escape_string and this page only talks about INSERT and SELECT.

Any words of wisdom would be much appreciated.

Shiningtor
scriptah
Forum Commoner
Posts: 27
Joined: Sat Mar 15, 2008 8:58 pm
Location: Long Island, NY

Re: SQL Injection Attack provention help

Post by scriptah »

//Is it only INSERT and SELECT querys that can suffer SQL Injection Attacks?
Of course not.
Image this query:

Code: Select all

 
UPDATE `admin` SET password = SHA1( 'new_password' ) WHERE id = '10'
 
//What about UPDATE? Do you use mysql_real_escape_string() for data being updated?
You bet.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: SQL Injection Attack provention help

Post by Mordred »

1. One uses escaping not for protecting against SQL injection, but for making his scripts work. SQL injection is a side-effect of the "not escaping" bug.

2. Thus, all SQL commands that contain "outside" data should have the data properly escaped and quoted before use.

3. All SQL verbs can be used for SQL injection, and in most cases information can be leaked to the attacker, even it was an UPDATE query.

Do read the manual some more, and then check my article on SQL injection prevention, which lists some cases the manual misses:
http://www.webappsec.org/projects/articles/091007.shtml
samb0057
Forum Commoner
Posts: 27
Joined: Wed Mar 26, 2008 9:51 am

Re: SQL Injection Attack provention help

Post by samb0057 »

Here's my database escape function, it escapes data that needs to be escaped and leaves numbers alone.
It can also escape a value or an array of values of unlimited depth.

Use that to surround any variables being used in a query and you are ahead of most people.

mysql_query('SELECT `username` FROM `users` WHERE `id` = ' . db_escape($_GET['id']));

function db_escape($values, $quotes = true) {
global $cfg;
if (is_array($values)) {
foreach ($values as $key => $value) {
$values[$key] = db_escape($value, $quotes);
}
}
else if (is_bool($values)) {
$values = $values ? 1 : 0;
}
else if (!is_numeric($values)) {
$values = mysql_real_escape_string($values);
if ($quotes) {
$values = '"' . $values . '"';
}
}
return $values;
}
deadoralive
Forum Commoner
Posts: 28
Joined: Tue Nov 06, 2007 1:24 pm

Re: SQL Injection Attack provention help

Post by deadoralive »

is_numeric allows more than digits through. It also allows floats etc.

Also is there any reason NOT to quote numbers in an SQL statement. Every variable I put in an SQL statement gets quotes around it, regardless of type, and i've never run into any problems. Is anything wrong with this approach?
Post Reply