Results 1 to 11 of 11
  1. #1
    ABW Ambassador PatrickAllmond's Avatar
    Join Date
    September 20th, 2005
    Location
    OKC
    Posts
    1,219
    Preventing SQL injection attacks
    For you newbies and you old timers - some good tech info on protecting against SQL Injection Attacks when using PHP:

    http://www.metatitan.com/php/16/prot...injection.html

    FYI... an SQL injection attack is when somebody can type something in a search box or query string on your website and take control of your database i.e. inject SQL that you were not expecting . When you are expecting someone to do a search they can really slip in a DELETE, UPDATE or INSERT statement on you.

    Example: You have a search box where they can search for things (duh!). People normally type 'dvd' so your search becomes
    PHP Code:
    SELECT FROM products where name like 'dvd'
    Instead they type '; delete * from products ; .. in the search box . What you execute is then...

    PHP Code:
    SELECT FROM products where name like '' delete from products 
    Good coding practices will keep this from happening !

    My personally security recommendation in this area is to only use a userid that has READ-ONLY privileges in that part of your web application that deal with the searches.

    GeekON!
    ---
    This response was masterly crafted via the fingers of Patrick Allmond who believe you should StopDoingNothing starting today.
    ---
    Focus Consulting is where I roll | Follow @patrickallmond on Twitter
    Search Engine Marketing | Search Engine Optimization | Social Media | Online Video

  2. #2
    Member
    Join Date
    December 6th, 2006
    Location
    na
    Posts
    173
    Php
    The easiest way is to use mysql_real_escape_string()
    in php.

  3. #3
    ABW Ambassador PatrickAllmond's Avatar
    Join Date
    September 20th, 2005
    Location
    OKC
    Posts
    1,219
    Oziman - Did you go visit the link?
    ---
    This response was masterly crafted via the fingers of Patrick Allmond who believe you should StopDoingNothing starting today.
    ---
    Focus Consulting is where I roll | Follow @patrickallmond on Twitter
    Search Engine Marketing | Search Engine Optimization | Social Media | Online Video

  4. #4
    Member
    Join Date
    December 6th, 2006
    Location
    na
    Posts
    173
    nah, just added my .02.

    I always like to link directly to the manual.. call it my artistic side

  5. #5
    Lite On The Do, Heavy On The Nuts Donuts's Avatar
    Join Date
    January 18th, 2005
    Location
    Winter Park, FL
    Posts
    6,930
    Quote Originally Posted by patrick24601
    My personal security recommendation in this area is to only use a userid that has READ-ONLY privileges in that part of your web application that deal with the searches.
    Does this mean that instead of our standard database connection strings (that we likely use ourselves when we log into mysql), that we setup an additional db user, assign that user read-only privileges, then use that user and password on our pages that make db connections?

  6. #6
    Member
    Join Date
    December 6th, 2006
    Location
    na
    Posts
    173
    Quote Originally Posted by Donuts
    Does this mean that instead of our standard database connection strings (that we likely use ourselves when we log into mysql), that we setup an additional db user, assign that user read-only privileges, then use that user and password on our pages that make db connections?
    That seems to be his suggestions - will only work if you're not actively inserting something into your db.

  7. #7
    Lite On The Do, Heavy On The Nuts Donuts's Avatar
    Join Date
    January 18th, 2005
    Location
    Winter Park, FL
    Posts
    6,930
    Right, on display pages that are only reading or else we'd break the page's function with a read-only user connection.

    I'm thinking I need to go do this. Since I have to do it in quite a few places, I wanted to ask.

    Patrick24601, are you recommending we do this on pages where reading is only going on?

    Oziman, are you also recommending this as well?

    I continue to get tons of attempts on my sites forms and urls where they're probing my site for entry ways... am thinking this is yet another layer of protection I can add... other than breaking page features that interact with my db in ways other than reads, are there any other gotcha's that come to mind?

  8. #8
    Member
    Join Date
    December 6th, 2006
    Location
    na
    Posts
    173
    Quote Originally Posted by Donuts
    Right, on display pages that are only reading or else we'd break the page's function with a read-only user connection.

    I'm thinking I need to go do this. Since I have to do it in quite a few places, I wanted to ask.

    Patrick24601, are you recommending we do this on pages where reading is only going on?

    Oziman, are you also recommending this as well?

    I continue to get tons of attempts on my sites forms and urls where they're probing my site for entry ways... am thinking this is yet another layer of protection I can add... other than breaking page features that interact with my db in ways other than reads, are there any other gotcha's that come to mind?
    I would say it's certainly a good thing to do but that it can be somewhat limiting. Meaning in the future if you decide to add some sort of interactivity to a page, you may have to readjust this again.

    If you're going to try this - try it on one of your sites and see what happens. Without seeing code it's hard for me to abstractly determine what could go wrong, but I would say make sure your new read only user has permission to the specific database as well, and that you're not doing ANY Updates/Inserts etc.

    I think the best way to deal with this problem is to actively parse entries (either using the PHP functions or your own code or both) before using them -if you can make your user read only and not worry about it, then by all means.

    As for the probes - we run mod_security on top of our Apache boxes that we use and it deflects a large amount of the probes that come our way.

  9. #9
    ABW Ambassador PatrickAllmond's Avatar
    Join Date
    September 20th, 2005
    Location
    OKC
    Posts
    1,219
    Donuts,

    My answer my friend would be a resounding yes. Don't give anybody/any pages Read/Write/Alter access to your database unless they absolutely need it.

    Now... oziman also has a point. What this means is that you may have an ID for the read-only functions (i.e. customer facing pages) and another id for admin type functions (functions that alter data). And in some cases you will have customer facing pages that need to save data i.e. if you let uses customize the look and feel of the page and save their settings.

    Is it more work? Without a doubt YES. Will it make you more secure? Without a doubt YES. And I can tell you right now on a gov't contract I am on this is exactly how we do things to make sure only the correct people get update access. Nobody here is doing the large scale work I am doing. But this is just another best practice that you can use to secure your data.

    Patrick
    ---
    This response was masterly crafted via the fingers of Patrick Allmond who believe you should StopDoingNothing starting today.
    ---
    Focus Consulting is where I roll | Follow @patrickallmond on Twitter
    Search Engine Marketing | Search Engine Optimization | Social Media | Online Video

  10. #10
    Lite On The Do, Heavy On The Nuts Donuts's Avatar
    Join Date
    January 18th, 2005
    Location
    Winter Park, FL
    Posts
    6,930
    Well, I already use long-weird-named include files to load my db connection variables, so it seems I just need to have two includes, one for master rights and one for read only rights and just make sure I correctly classify my pages concerning which ones need which access and run with that.

    And for me, the vast majority of my pages are just reading and presenting data and I allow visitors to customize it in ways that don't require signups and such, so there's very few instances where allow them to do any db writing / editing, but I can see exactly what you both mean. Like this page here, on a forum, isn't just reading since I'm posting to a db... got it.

  11. #11
    ABW Ambassador
    Join Date
    June 30th, 2007
    Location
    Syracuse, NY
    Posts
    677
    As someone whose read this thread, and really has no clue what is being talked about, would I need to do this? LOL

    The website I'm building does use PHP and will have databases, but I'm using wordpress as my CM. Site really isn't a blog. Oh and I do plan to have a search box.

    Would the stuff mentioned here, be needed by me?

  12. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. Google Likes SQL Insertion Attacks?
    By CanadianDave in forum Search Engine Optimization
    Replies: 1
    Last Post: October 31st, 2011, 12:18 PM
  2. Crazy Botnets / Sql attacks today ...
    By Georgie Peri in forum Spam
    Replies: 6
    Last Post: December 17th, 2009, 04:52 PM
  3. Google Reader (and perhaps others) Spam Injection
    By Kevin in forum Blogging, Mobile and Social Media
    Replies: 1
    Last Post: May 5th, 2008, 09:26 PM
  4. SQL Injection Exploit
    By John Powell in forum Programming / Datafeeds / Tools
    Replies: 6
    Last Post: April 20th, 2007, 01:49 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •