Sql Injection, Hit Me!

@webgovernorApr 26.2005

Hi Guys,

I’m not sure if this is a good forum for this or not,
but I’m sure that there are a few of you
experienced with SQL injection.

Anyway, I’m trying to secure my site from
SQL injection, right now I’m working on
the login area.

~~[url]~~http://www.gallatinwebdesign.com/webdevcl/[/url]

The real username and password:
user: ~~[B]~~demo [/B]
pass: ~~[B]~~demo[/B]

My question IS,
~~[U]~~If you’re bored, would you mind trying to sql inject the
above site???[/U]

Anyway, I wrote an install program to reconstruct the
database, and all the data is basically useless (testing only),
so don’t hold back!

Gimme all you got!

Oh, and the forms located after login aren’t secure,
I don’t have any preg_replace/str_replace/magic_quotes for them
yet, but I will, I’m only concerned about the login box.

Oh, and ‘or”=’ wont work, I already tried.

Thanks a lot!

PS. This isn’t important.

to post a comment

PHP

12 Comments(s) _↴

@scragarApr 26.2005 — #can you show us some of the associated code, this will help us work out what to try, and what to protect yourself from(I can think of at least 30 different strategies).

@webgovernorauthorApr 26.2005 — #Yup, here it is,

that's all I have, I've never tried to

prevent SQL Inj. before, so I don't know

if this is too much or not enough.

[code=php]function injectDeter() {
 global $user, $pass;
 
  $patterns[0] = '/@/';
  $patterns[1] = '/'/';
  $patterns[2] = '/>/';
 $patterns[3] = '/</';
 $patterns[4] = '/+/';
 $patterns[5] = '/#/';
 $patterns[6] = '/!/';
 $patterns[7] = '/(/';
 $patterns[8] = '/)/';
 $patterns[9] = '/%/';
 $patterns[10] = '/*/';
 $patterns[11] = '/=/';
 $patterns[12] = '/&/';
 
  $replacements[0] = 'at';
  $replacements[1] = '`';
  $replacements[2] = ']';
  $replacements[3] = '[';
  $replacements[4] = 'add';
  $replacements[5] = 'pound';
  $replacements[6] = 'exclame';
  $replacements[7] = '[';
  $replacements[8] = ']';
  $replacements[9] = 'percent';
  $replacements[10] = 'times';
  $replacements[11] = 'equal';
  $replacements[12] = 'amp';
 
  ksort($patterns);
  ksort($replacements);
 
  $user = preg_replace($patterns, $replacements, $user);
  $pass = preg_replace($patterns, $replacements, $pass);
 
  //Remove slashes to test 
  //echo "User is: " . $user . "<br />" ;
  //echo "Pass is: " . $pass . "<br />";
 }[/code]

Have fun.

THanks.

@scragarApr 26.2005 — #2 much.

most of those can be safely removed, SQL doesn't use them.

@Stephen_PhilbinApr 26.2005 — #Never really looked into it much yet. I always assumed if I ran striptags() I was good. Would I be correct in assuming my assumption was incorrect?

@pyroApr 26.2005 — #Would I be correct in assuming my assumption was incorrect?[/QUOTE]Yes... ?

Always, always, ALWAYS be sure to escape quotes.

@pyroApr 26.2005 — #Oh, and this might help. It's the function I use to prepare a string for database entry:

[code=php]/*
 * Function to prepare string for mysql_query
 * @param str
 *     The string to be formatted
 */
 
 function mysql_prepare($str) {
 
  # check for magic quotes and strip those suckers
  if (ini_get('magic_quotes_gpc') == true) {
   $str = stripslashes($str);
  }
  # prepare for mysql_query
  $str = mysql_real_escape_string($str);
  # trim string
  $str = trim($str);
 
  return $str;
 }[/code]

@webgovernorauthorApr 26.2005 — #Ok, so it was too much?

Pyro's above function would suffice?

No one can successfully inject into my DB?

Pyro, do I have to "un-parse" the code at all?

Thanks guys, I appreciate the help!

@pyroApr 26.2005 — #Pyro, do I have to "un-parse" the code at all?[/quote]
What do you mean by that?

@webgovernorauthorApr 26.2005 — #My question was reffering to whether or not the

above function added or removed characters that shouldn't or should be

there.

Not just checking and removing if neccesary.

Example:

Replace all single quotes in a string with back quotes "`" for storage,

then when displaying "un-replace" the back quotes with singles...

See what I'm saying?

After some research of the magic_quotes_gpc I realize

that the code probably doesn't need unparsing,

as far as I can tell, so I can grab "$str" right after the function

and use it like I normally would if it were entered without parsing.

Hope that makes sense!

Thanks again for the input, it'll come in handy!

Oh, and good luck with CSS 4 idiots, i mean dummies...

@webgovernorauthorApr 26.2005 — #Update:

That script is SOO much better then mine, thanks.

@webgovernorauthorApr 26.2005 — #Problem with "/''" as username though,

probably my fault.

Edit: it was my fault.

@Stephen_PhilbinApr 27.2005 — #I noticed that mysql_real_escape_string does not escape or remove the semi colon ";". I can kinda see why, but surely this is a bad thing?

EDIT:

Ok. So I wasn't entirely convinced by the whole [i]not chucking out certain characters[/i] thing and after having a bit of a tinker came up with another function. You just give it the input you want to "sanitise" and the option of sanitisation you want it to use.

Here it is:

[code=php]
  public function sanitise($sanvar,$safety)
 {
 global $dberror;
 
   if(!$dberror)
   {
   if (get_magic_quotes_gpc())
   {$sanvar = stripslashes($sanvar);}
 
   trim($sanvar);
 
   $safe = array("_","%",";",",",".",""","","!");
 <i>	</i>		$numeric = array("_","%",";",""","","!");
 
   switch($safety)
   {
   case "safe":
   $sanvar = str_replace($safe,"",$sanvar);
   break;
 
   case "numeric":
   $sanvar = str_replace($numeric,"",$sanvar);
   break;
   }
 
   if(($safety === "safe") || ($safety === "unsafe") || ($safety === "numeric"))
   {
   if (!is_numeric($sanvar))
   {$sanvar = "'".mysql_real_escape_string($sanvar)."'";}
   return $sanvar;
   }
   else{$dberror = "The required second parameter of the sanitise() funtion was either not present or was incorrect. The required second parameter must be one of either "numeric", "safe" or "unsafe". All database functions occurring after this error have been disabled."; return FALSE;}
  }
  }
 [/code]

Just in case you're wondering, nothing in that method directly prevents other database interaction methods from working. It's just that all other methods in the class are designed to do nothing on detection of the existence of the variable $dberror regardless of type. Be that string, boolean, integer or whatever.

So what do you reckon? Pointlessly excessive? Might be handy?

Also in #PHP _↴

gif src as php set timeout for a function but not entire script?Soap

Success!

Help @webgovernor spread the word by sharing this article on Twitter...

Tweet This

Sql Injection, Hit Me!

12 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

Sql Injection, Hit Me!

12 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

12 Comments(s) _↴

Also in #PHP _↴