I'm getting really bogged down over SQL Injection Attack provention. The more I read the worst it gets.
Is it only INSERT and SELECT querys that can suffer SQL Injection Attacks?
What about UPDATE? Do you use mysql_real_escape_string() for data being updated?
I've been looking at http://uk.php.net/mysql_real_escape_string and this page only talks about INSERT and SELECT.
Any words of wisdom would be much appreciated.
Shiningtor
SQL Injection Attack provention help
Moderator: General Moderators
-
shiningtor
- Forum Newbie
- Posts: 4
- Joined: Fri Sep 21, 2007 11:39 am
Re: SQL Injection Attack provention help
//Is it only INSERT and SELECT querys that can suffer SQL Injection Attacks?
Of course not.
Image this query:
//What about UPDATE? Do you use mysql_real_escape_string() for data being updated?
You bet.
Of course not.
Image this query:
Code: Select all
UPDATE `admin` SET password = SHA1( 'new_password' ) WHERE id = '10'
You bet.
Re: SQL Injection Attack provention help
1. One uses escaping not for protecting against SQL injection, but for making his scripts work. SQL injection is a side-effect of the "not escaping" bug.
2. Thus, all SQL commands that contain "outside" data should have the data properly escaped and quoted before use.
3. All SQL verbs can be used for SQL injection, and in most cases information can be leaked to the attacker, even it was an UPDATE query.
Do read the manual some more, and then check my article on SQL injection prevention, which lists some cases the manual misses:
http://www.webappsec.org/projects/articles/091007.shtml
2. Thus, all SQL commands that contain "outside" data should have the data properly escaped and quoted before use.
3. All SQL verbs can be used for SQL injection, and in most cases information can be leaked to the attacker, even it was an UPDATE query.
Do read the manual some more, and then check my article on SQL injection prevention, which lists some cases the manual misses:
http://www.webappsec.org/projects/articles/091007.shtml
Re: SQL Injection Attack provention help
Here's my database escape function, it escapes data that needs to be escaped and leaves numbers alone.
It can also escape a value or an array of values of unlimited depth.
Use that to surround any variables being used in a query and you are ahead of most people.
mysql_query('SELECT `username` FROM `users` WHERE `id` = ' . db_escape($_GET['id']));
function db_escape($values, $quotes = true) {
global $cfg;
if (is_array($values)) {
foreach ($values as $key => $value) {
$values[$key] = db_escape($value, $quotes);
}
}
else if (is_bool($values)) {
$values = $values ? 1 : 0;
}
else if (!is_numeric($values)) {
$values = mysql_real_escape_string($values);
if ($quotes) {
$values = '"' . $values . '"';
}
}
return $values;
}
It can also escape a value or an array of values of unlimited depth.
Use that to surround any variables being used in a query and you are ahead of most people.
mysql_query('SELECT `username` FROM `users` WHERE `id` = ' . db_escape($_GET['id']));
function db_escape($values, $quotes = true) {
global $cfg;
if (is_array($values)) {
foreach ($values as $key => $value) {
$values[$key] = db_escape($value, $quotes);
}
}
else if (is_bool($values)) {
$values = $values ? 1 : 0;
}
else if (!is_numeric($values)) {
$values = mysql_real_escape_string($values);
if ($quotes) {
$values = '"' . $values . '"';
}
}
return $values;
}
-
deadoralive
- Forum Commoner
- Posts: 28
- Joined: Tue Nov 06, 2007 1:24 pm
Re: SQL Injection Attack provention help
is_numeric allows more than digits through. It also allows floats etc.
Also is there any reason NOT to quote numbers in an SQL statement. Every variable I put in an SQL statement gets quotes around it, regardless of type, and i've never run into any problems. Is anything wrong with this approach?
Also is there any reason NOT to quote numbers in an SQL statement. Every variable I put in an SQL statement gets quotes around it, regardless of type, and i've never run into any problems. Is anything wrong with this approach?