SQL injection test

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Solgryn
Forum Newbie
Posts: 2
Joined: Thu Aug 26, 2010 6:04 am

SQL injection test

Post by Solgryn »

Hello,

About 3-4 months ago I made a php site for my games and it got SQL injected by some random people :/
I deleted it and started working on it here a few days ago. Now I think I sanitized my $_POST stuff right but I'm unsure how if it works,
only real way to test it is to make an SQL injection attack yourself I suppose...

I made a code sortof like this:

Code: Select all

function sanitize($data){
if(get_magic_quotes_gpc()){
$data = stripslashes($data);
}
$data = mysql_real_escape_string($data);
return $data;
}
and when I made the $_POST I made a string called $comment and set it to sanitize($_POST(['comment']) which should work?

I wanna ask if someone here can see if it's working? If you tried doing SQL injection attacks before...
If it doesn't work I wanna ask if I could get some help xD.

My site is at http://solgryn.org/php/ go into a game and scroll down for the comment section (WIP)

Thanks in advance
cpetercarter
Forum Contributor
Posts: 474
Joined: Sat Jul 25, 2009 2:00 am

Re: SQL injection test

Post by cpetercarter »

I have tried injecting some simple Javascript, but happily your webpage encodes the opening and closing chevrons, so the script displays but does not run. However, there is no need to allow people to put html tags in their comments, so why not strip_tags() as well.
Solgryn
Forum Newbie
Posts: 2
Joined: Thu Aug 26, 2010 6:04 am

Re: SQL injection test

Post by Solgryn »

cpetercarter wrote:I have tried injecting some simple Javascript, but happily your webpage encodes the opening and closing chevrons, so the script displays but does not run. However, there is no need to allow people to put html tags in their comments, so why not strip_tags() as well.
Yea I disabled HTML tags with htmlentities(), dunno if that's the same. But you can no longer post HTML stuff in the comments.

Anyways, thanks for your help
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: SQL injection test

Post by timWebUK »

strip_tags will actually remove any HTML tags from a post entirely. Useful as a defense in depth measure. You could use it in unison with HTML entities.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: SQL injection test

Post by Mordred »

If you only plan to run things from get/post/cookies/request through this function, it is fine. Otherwise, you'll have issues (not security ones) with slashes being stripped.

http://www.logris.org/security/the-curs ... gic-quotes
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: SQL injection test

Post by kaisellgren »

strip_tags() <-- that's a horrible function and you want to avoid using it. Please whatever you do just do not run that strip_tags(), because it aggressively modifies user-submitted data. Oh yes, if phpBB did that, my entire post would have gone like poof :? (try it if you don't believe me)
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: SQL injection test

Post by timWebUK »

What's the best alternative?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: SQL injection test

Post by kaisellgren »

Either encode the whole output and let it be or use something like HTMLPurifier which does things a lot better than strip_tags().
pkphp
Forum Newbie
Posts: 12
Joined: Mon Sep 20, 2010 1:20 am

Re: SQL injection test

Post by pkphp »

hey there, i need to say you have got a good idea. But keeping SQL injection away form your site is not a easy way.
I suggest you can read the code in a shopping cart scripts called Eclime or an forum projects named Discuz.

They have the best function to keep it away.
Post Reply