Page 1 of 1

SQL Injection Attack provention help

Posted: Wed Mar 19, 2008 11:53 am
by shiningtor
I'm getting really bogged down over SQL Injection Attack provention. The more I read the worst it gets.

Is it only INSERT and SELECT querys that can suffer SQL Injection Attacks?

What about UPDATE? Do you use mysql_real_escape_string() for data being updated?

I've been looking at http://uk.php.net/mysql_real_escape_string and this page only talks about INSERT and SELECT.

Any words of wisdom would be much appreciated.

Shiningtor

Re: SQL Injection Attack provention help

Posted: Wed Mar 19, 2008 12:16 pm
by scriptah
//Is it only INSERT and SELECT querys that can suffer SQL Injection Attacks?
Of course not.
Image this query:

Code: Select all

 
UPDATE `admin` SET password = SHA1( 'new_password' ) WHERE id = '10'
 
//What about UPDATE? Do you use mysql_real_escape_string() for data being updated?
You bet.

Re: SQL Injection Attack provention help

Posted: Thu Mar 20, 2008 1:37 am
by Mordred
1. One uses escaping not for protecting against SQL injection, but for making his scripts work. SQL injection is a side-effect of the "not escaping" bug.

2. Thus, all SQL commands that contain "outside" data should have the data properly escaped and quoted before use.

3. All SQL verbs can be used for SQL injection, and in most cases information can be leaked to the attacker, even it was an UPDATE query.

Do read the manual some more, and then check my article on SQL injection prevention, which lists some cases the manual misses:
http://www.webappsec.org/projects/articles/091007.shtml

Re: SQL Injection Attack provention help

Posted: Wed Mar 26, 2008 9:56 am
by samb0057
Here's my database escape function, it escapes data that needs to be escaped and leaves numbers alone.
It can also escape a value or an array of values of unlimited depth.

Use that to surround any variables being used in a query and you are ahead of most people.

mysql_query('SELECT `username` FROM `users` WHERE `id` = ' . db_escape($_GET['id']));

function db_escape($values, $quotes = true) {
global $cfg;
if (is_array($values)) {
foreach ($values as $key => $value) {
$values[$key] = db_escape($value, $quotes);
}
}
else if (is_bool($values)) {
$values = $values ? 1 : 0;
}
else if (!is_numeric($values)) {
$values = mysql_real_escape_string($values);
if ($quotes) {
$values = '"' . $values . '"';
}
}
return $values;
}

Re: SQL Injection Attack provention help

Posted: Thu Mar 27, 2008 7:11 am
by deadoralive
is_numeric allows more than digits through. It also allows floats etc.

Also is there any reason NOT to quote numbers in an SQL statement. Every variable I put in an SQL statement gets quotes around it, regardless of type, and i've never run into any problems. Is anything wrong with this approach?