|
PHP - Mysql Injection Protection
How can you protect mysql injection? (from inserting different statements into the input field)
Thanks Similar Tutorialsim having some robots injecting gibberish i wnat to deny amy links in the requesttext of the form for some reason i tested it and it accepted a http link Code: [Select] if (preg_match("/http/i","$RequestText")){ exit();} thanks <?php include ("database.php"); // show comments $result = mysql_query("SELECT * FROM gamecomments"); while($row = mysql_fetch_array($result)) { echo $row['username'] . ": <Br> " . $row['comment']; echo "<p>"; } ini_set ("display_errors", "1"); error_reporting(E_ALL); if (isset($_POST['submit'])) { // now we insert it into the database $insert = "INSERT INTO gamecomments (username, comment) VALUES ('[$username]', '$_POST[comment]')"; $add_comment = mysql_query($insert); { echo "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=games.php\">"; } } I haven't had a problem with sql injection yet, but I'm scarred to death. I didn't do any form data validation as I was building my site. I'm just now starting to learn how. Magic_quotes is turned on at my host. I know about htmlspecialchars and mysql_real_escape_string and stripslashes and htmlentities. In testing each of these, it seems they all miss one thing or another. so, I created an array of words and characters that I can't for the life of me imagine anyone would ever need on any form in my site, that I THINK addresses most if not all of the really bad things. But hey... I'm new to this. So here is my array and using print_r() it looks pretty good. Code: [Select] $badstuff = array('select','delete','update','insert','drop','=',';','"','\'','<','>','/'); Code: [Select] Array ( [0] => select [1] => delete [2] => update [3] => insert [4] => drop [5] => select [6] => delete [7] => update [8] => insert [9] => drop [10] => = [11] => ; [12] => " [13] => ' [14] => < [15] => > [16] => / ) My str_ireplace() function works fine within the code, but I'd like to create a function using str_ireplace(). I am failing miserably. Here is my function that doesn't work... Code: [Select] function strip($string){ return str_ireplace($badstuff,"",$string); } Here below..... the first line, that uses the function does NOT work. The second line that just uses str_replace() function works fine. Code: [Select] echo strip($string).'<br>'; echo str_ireplace($badstuff,"",$string) Can anyone tell me why my function does not work? I've read and watched 20 tutorials and just can't see the problem. Thanks for any input. '[$username]' is using a variable from a cookie varifying that you are logged in, this code works except i need to put real escape strings and protection from mysql injection and dont really know where to put them. Code: [Select] if (isset($_POST['submit'])) { // now we insert it into the database $insert = "INSERT INTO gamecomments (username, comment) VALUES ('[$username]', '$_POST[comment]')"; $add_comment = mysql_query($insert); { echo "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=games.php\">"; } } [CODE] i am using a Anti MySQL Injection my friend made for me config.php //Anti MySQL Injection function anti_injection($sql) { // removes words that contain sql syntax $sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$sql); $sql = trim($sql); // strip whitespace $sql = strip_tags($sql); // strip HTML and PHP tags $sql = addslashes($sql); // quote string with slashes return $sql; } <?php include "./config.php"; $title = $_POST[title]; $type = $_POST[type]; $episode = $_POST[episode]; $year = $_POST[year]; $genre = $_POST[genre]; $status = $_POST[status]; $summary = $_POST[summary]; $pictures = $_POST[pictures]; $title = anti_injection($title); $type = anti_injection($type); $episode = anti_injection($episode); $year = anti_injection($year); $genre = anti_injection($genre); $status = anti_injection($status); $summary = anti_injection($summary); $pictures = anti_injection($pictures); ?> When i enter the data from the text box and click submit it still puts the data in to the date base but it shows ]Notice: Use of undefined constant title - assumed 'title' in C:\wamp\www\studying\take 2\addin11.php on line 41 Notice: Use of undefined constant type - assumed 'type' in C:\wamp\www\studying\take 2\addin11.php on line 42 Notice: Use of undefined constant episode - assumed 'episode' in C:\wamp\www\studying\take 2\addin11.php on line 43 Notice: Use of undefined constant year - assumed 'year' in C:\wamp\www\studying\take 2\addin11.php on line 44 Notice: Use of undefined constant genre - assumed 'genre' in C:\wamp\www\studying\take 2\addin11.php on line 45 Notice: Use of undefined constant status - assumed 'status' in C:\wamp\www\studying\take 2\addin11.php on line 46 Notice: Use of undefined constant summary - assumed 'summary' in C:\wamp\www\studying\take 2\addin11.php on line 47 Notice: Use of undefined constant pictures - assumed 'pictures' in C:\wamp\www\studying\take 2\addin11.php on line 48 Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30 Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30 Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30 Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30 Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30 Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30 Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30 Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30 And thanks to the Anti MySQL Injection my Primary key in my database dont work :s can you help? thank you Does this code have mySQL Injection vulnerability?
$query = "DELETE FROM `$table` WHERE `$column` IN('".implode("','",$array)."')";
using php5, would this make the code more safe...
foreach($array as $key=>$a){
$array[$key] = mysql_real_escape_string($a);}
$query = "DELETE FROM `$table` WHERE `$column` IN('".implode("','",$array)."')";
or is there another way to make the code safe?
Hello People, Been reading up on these and trying to understand them more. Say I have a file called page.php?id=12345 and when users hit the page I run this code in the background: $id = $_GET['id']; $query = "UPDATE tbl SET live = '1' WHERE id = '".$id."'"; That page is not open to any attack right? Even though i'm using $_GET. Am I right in thinking that attacks only happen on online forms. So for example there is no way an attacker could somehow output all the data in my table tbl Thank yo $_POST['user_name'] = "CLUEL3SS"; $_POST['user_pass'] = "test123"; $_POST['confirm_pass'] = "test123"; $_POST['user_email'] = "user@email.com"; $_POST['confirm_pass'] = 'user@email.com'; function testFunc($inputVars){ foreach($inputVars as $key=>$value){ $escapeData[$key] = mysql_real_escape_string($value); } return $escapeData; } var_dump(testFunc($_POST)); I'm trying to make a user system for my site and I want to make sure its secure enough to void off injection attackers. Any useful advice and and suggestions would be greatly appreciated! Thanks! been wondering about this for a while do I need to put the escape on each WHERE? or do i really only need to put it on the $_POST i can probably understand why i need it on $_GET also after WHERE. So wondering about the session id. Code: [Select] <?php mysql_query("UPDATE systems SET homes= $homes + '".mysql_real_escape_string($_POST['homes'])."' WHERE address = '".mysql_real_escape_string($_GET['planet'])."' AND id = '".($_SESSION['user_id'])."'"); ?> is this select query code safe from injection?
try {
$stmt = $db->prepare("SELECT * FROM posts WHERE key=$key");
$stmt->execute();
$row = $stmt->fetch();
}
notice there is no bind.
$stmt->bindParam(':key', $key);
the reason i am asking is that i have many $key variable in the query and i do not know how to use bind in a query such as this...
SELECT count(*) FROM posts WHERE MATCH (file) AGAINST
('$key' IN BOOLEAN MODE) OR MATCH (user) AGAINST ('$key' IN BOOLEAN MODE)
the $key is not an array and the $key does not change it's value.
Edited by kalster, 04 January 2015 - 05:52 PM. I currently use the following function to clean form inputs to prevent MySql injection, Does this function do enough to prevent MySql injection? is there anything i have missed? <?php //Function to sanitize values received from the form. Prevents SQL injection function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } ?> how would this code work? Code: [Select] if ($_POST['username'] == "[, ., ,, _, -" ){ die('Invalid characters.'); i want it to mean if there are any characters like ", [ . - _ ' " or anything in the username then die('invalid characters.'); for extra safety hello.
im trying to password protect my pages in a simple way like this:
http://www.scottconn...ord_protection/
but for some reason it doesnt chek the login file, so it doesnt work:
<?php require_once 'login.php'; ?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Untitled Document</title>
<style type="text/css">
#form1 table tr td label {
}
#form1 table {
text-align: left;
}
#wrapper {
margin: 20px auto;
text-align: center;
font-size: 20px;
}
#wrapper2 {
margin: 20px auto;
text-align: center;
font-size: 20px;
}
</style>
</head>
<body>
<div id="wrapper">
--<a href="tilfojer.html">Tilføj Aktivitet</a>--<br>
--<a href="tilfojtilvalg.html">Tilføj Tilvalg</a>--<br>
--<a href="tilfojrestaurant.html">Tilføj Restaurant</a>--<br>
--<a href="tilfojmenu.html">Tilføj Menu</a>--
</div>
<div id="wrapper2">
--<a href="seaktivitet.php">Se Aktiviteter</a>--<br>
--<a href="setilvalg.php">Se Tilvalg</a>--<br>
--<a href="serestaurant.php">Se Restauranter</a>--<br>
--<a href="semenu.php">Se Menuer</a>--
</div>
</body>
<a href="?logout=1">Logout</a>
</html>
that is how i implemented it. made the file an php file
can somone tell me why it doesnt work. and maybe how to make it work, and why that works
many thanks
I need to know, what i need to care about while im coding, how someone can hack my php code. Some tricks for protection pls? I want to password protect my entire website. How would I go on to doing this. There is a website that has this already (www.printerdev.co.uk). I want to do the exact same thing but not sure how to. Can someone please help me I have been getting a lot more client requests to protect files. What is the easiest way to do this. So, basically I have tried doing it outside the public directory. There are too many things that cause issues with this. I haven't been able to get a successfull implementation of this since I started working with this. So I was thinking instead about password protecting a directory that is inside public view, but still get files via PHP. Is there a way to setup a password protected directory, then retreive stuff from that directory using PHP. Or, a good way to put them outside the public folder. Everything I have tried to do to get a file to save outside of public view, has not worked. It always says uploaded but the file is never there. Also, I have verified correct permission for this as well. I have a contact form, and I want to make sure it doesn't send a bunch of duplicates if the page is refreshed after being submitted. Simple way is to make sure this record isn't identical to the one before it: select * from `contacts` where `Name`='$name' and `Phone`='$phone' and `Message`='$message' and `Subject`='$subject' and `Email`='$email' But, that checks against all records. While not likely, this could cause problems, if the same customer came back a month later and put in the same exact contact. Any way I can check it only against the very last record in the database? Something like: and `id`=XX , where XX is one less than the current auto inc id? I have never looked into sanitizing before, Is using htmlentities() good enough to protect against sql injection ? Thanks. Hey, Wondering if this would work, it is based on the idea that everyone who is a real visitor will be using a browser, is that correct? Do robots use browsers too? if so, it wont work! haha. <? $browser = mb_substr($_SERVER['HTTP_USER_AGENT'], 0, 31); if (!empty($browser)){echo '<form action="send.php" method="post">';} ?> Just thought it was nice and simple, and couldnt see anywhere if it would work or not... |
|||||||