|
PHP - Sql Injection Small Question
Hi all,
I thought instead of just simple do all the security stuff automatically, why not see for myself what the it can do. So I made a simple table besides the other tables named delete_me, made a form and started testing. But for some reason I can get that table to drop. this is what i did on the front end with help from he http://en.wikipedia.org/wiki/SQL_injection in all 3 fields (firstname, lastname email) put a value and in the last one i put: but nothing happend. if someone knows what i am doing wrong please tell me because I think it's vital in order to protect yourself one needs to know what he or she is up against. Similar TutorialsHey Guys! I have the following Working php script (receives the variables from Flash) //LOGIN! if ($action == "login") { //retreive data from flash $username=mysql_real_escape_string($_POST['Username']); $password=mysql_real_escape_string($_POST['txtPassword']); $result = mysql_query("SELECT name, activated from buyers WHERE email = '$username' AND password = md5('$password')"); $cant = 0; while($row=mysql_fetch_array($result)) { echo "name$cant=$row[name]&activated$cant=$row[activated]&"; $cant++; } echo "cant=$cant&"; if (mysql_num_rows($result) > 0) { echo "status1=exists"; } else { echo "status1=Incorrect Login"; } } As you can see I have used mysql_real_escape_string for the variables $username and $password that are coming from Flash. I would really appreciate some guidence if this is the only safe code I need in this script? For example: Does $action == "login" need also mysql_real_escape_string ?? That variable $action is also coming from flash (but is not inputted by a user) Any ideas? Thanks in advance, Cheers! been wondering about this for a while do I need to put the escape on each WHERE? or do i really only need to put it on the $_POST i can probably understand why i need it on $_GET also after WHERE. So wondering about the session id. Code: [Select] <?php mysql_query("UPDATE systems SET homes= $homes + '".mysql_real_escape_string($_POST['homes'])."' WHERE address = '".mysql_real_escape_string($_GET['planet'])."' AND id = '".($_SESSION['user_id'])."'"); ?> I have a search button to help user searching text they are looking. and i use $_GET to pass the value and get it into my query so it simply like this when value was passed into the URL page.php?search=text the problem is that when i try to modify a bit like this page.php?search=">test although i don't get any problem with the query (ERROR) as i've replaced all special characters with blank string, but i always have this test" /> text appear on my page.. what should i do to avoid this?? if they can do whatever they want, it means there is a space for attacker to inject bad codes thanks in advance let say i have this <a href="myuploadfolder/picture1.jpg">Picture</a> and when user click on the link, they can see in which folder their picture were kept...is this dangerous?? if yes then how to hide it?? thanks in advance Hi all a small question. I was wondering if someone knows what would be the approach to achieve the following. on a page I show a random number. If the page refreshes (selfreferencing) It shows a new random number but also a the previous number, and this must be able to repeat itself : ) So to make it more visible: New Random number = 98765 Previous Number = 56412 This is what I have but it's ofc not working because ones the session var has been set it will not show the previous variable but the very first one. <?php session_start(); $random_number .= mt_rand(1,100000); if(!isset($_SESSION['number'])){ $_SESSION['number']=$random_number; } // echo all out: echo 'New random number is: '.$random_number; echo 'Previous number is: '.$_SESSION['number']; ?> I bet i need another variable to store the previous one in but for some reasons my brains don't work at the moment HI all, I have a book with some nice examples, but often i wonder if they are that secure for displaying and using outside the production area. One of them is this. A form is created by using a while loop that gets data(email addresses) from a database and shows them with check boxes. after that someone can select the e-mailaddress they don't like and delete them from the database. here is some code: <?php //.... $result = mysqli_query($dbc,$query); while ($row = mysqli_fetch_array($result)){ echo '<input type="checkbox" value"'.$row['id'].'"name="todelete[]"/>'; echo $row['firstname']; } //.........deleting part if (isset($_POST['submit'])){ foreach($_POST['todelete'] as $delete_id){ $query = "DELETE FROM email_list WHERE ID = $delete_id"; mysqli_query ($dbc, $query) or die ('error querying databse'); } } //.... ?> I have two questions: -> is this a smart way of deleting stuff? since you are going to use multiple queries instead of 1 in the for each loop. -> besides not using mysqli_real_escape_string, isn't this application allowing someone to alter the POST-array (todelete) to any value he likes? At least that's what i think can happen. If anyone knows a nice way to do this more secure , I would love to here it, because i don't really trust the html array created. Thanks in advance! Hey guys. Sorry to start asking questions being such a new member but this just suddenly came up. I have a php script that needs to send binary data to another php script via HTTP. The data can be transferred through the methods GET and POST, preferably POST and preferably not as a file. The problem is that I have tried a number of ways to do this but every time the data seems to be corrupted. Some bytes stay the same but others disappear or change. I guess that they transfer through ASCII mode instead of BINARY but couldn't find any way to fix this. Any help would be deeply appreciated. Cheers. Hi all, I just stumbled upon the 'new' filter function of php and i was wondering if someone could maybe recommend me which to use. for instance if i have a script: <?php $_evilstring = "<script> alert('justin bieber is ruining your sound system')</script>"; $_clean1 = htmlspecialchars($_evilstring); echo 'clean string one = '.$_clean1.'<br />'; $_clean2 = filter_var($_evilstring, FILTER_SANITIZE_SPECIAL_CHARS); echo 'clean string two = '.$_clean2.'<br />'; ?> Both output exactly the same. Now i was wondering if there might be differences in them. For some reason I would like to use the filter function because the name sounds better, but that of course is not very scientific. Anyone with ideas maybe performance, speed, wickedness?? I'm confused, can this result in css/sql injection? Code: [Select] if(isset($_GET['action'])){ if($_GET['action'] == 'details'){ $cupID = $_GET['cupID']; $ergebnis = safe_query("SELECT gameaccID, name, start, ende, typ, game, `desc`, status, checkin, maxclan, gewinn1, gewinn2, gewinn3 FROM ".PREFIX."cups WHERE ID = '".$cupID."'"); $ds=mysql_fetch_array($ergebnis); ... Some german fellow was explaining, translate to English briefly: "$ CupID is not escaped. NEN here I could just "; DROP TABLE` cups `Paste and your table is no longer available eez. Or I could inject javascript, your current session read out, accept it and act as an admin ... " I am trying to understand what he means by this... is this query vulnerable to an injection and why/how? I am having a wamp issue so I can't try these out right now. According to the book I'm learning php with, I can easily avoid injection attacks this way:
$a= stripslashes($a);
$a= mysql_real_escape_string($a);
What concerns me is the repetition of the variable, $a. Does it matter? Intuitively, it should.
$a changes. By the time $a hits mysql_real_escape_string it is slash-free. So it is a totally different "value" but still contained in the original variable which may have had slashes...just has me concerned a bit.
I know PDOs are the best way. I'm not there yet, unfortunately.
Edited by baltar, 23 May 2014 - 10:36 AM. I'm trying to use dependency injection to pass a database connection to an object but I'm not sure why it's not working. I have my "dbClass" below that connects to a MySQL database. Code: [Select] class dbClass { public $db; function __construct() { $this->db = mysql_connect("localhost","username","password") or die ('Could not connect: ' . mysql_error()); return $this->db; } } Then I have my "baseClass". This is the class that I want to feed to connection too. Code: [Select] class baseClass { public $mysql_conn; function __construct($db) { $this->mysql_conn = $db; $rs = mysql_select_db("webdev_db", $this->mysql_conn) or die ('Could not connect: ' . mysql_error()); } } And this is my index.php file. The error I'm getting is "supplied argument is not a valid MySQL-Link resource". However I tripled checked and my db connection details are definately correct. Code: [Select] $db = new dbClass(); $baseclass = new baseClass($db); Thanks for any help. Hello, I have a video game site - mostly vBulletin which is fine but there are a few extra bits to the site that I have done myself. I'm pretty new to PHP so my code isn't great. Anyway, I wanted to test my code for SQL Injection but I looked on Google and most of the tools seemed to come from hacker sites etc which I'm not downloading. I eventually found an addon for Firefox called SQL Inject Me and ran that. It said everything was alright but when I checked my MySQL tables they were full of junk code it had inserted. One of my pages doesn't even have any visible fields. It's just a page with a voting submit button and some hidden fields so how does it inject the code into the tables? The insert page code is: Code: [Select] $db = mysql_connect("localhost", "username", "password"); mysql_select_db("thedatabase",$db); $ipaddress = mysql_real_escape_string($_POST['ipaddress']); $theid = mysql_real_escape_string($_POST['theid']); $gamert = mysql_real_escape_string($_POST['gamert']); $serveron = mysql_real_escape_string($_POST['serveron']); $check= mysql_query("select * from voting2 where ipaddress='$ipaddress'"); $ipname = mysql_fetch_assoc($check); if($ipname['ipaddress'] == $ipaddress) { echo 'It appears you have already voted. Click <a href="vote.php">here</a> to return to the votes.'; } else { mysql_query ("INSERT INTO voting2 (theid,ipaddress,gamert,serveron2) VALUES ('$theid','$ipaddress','$gamert','$serveron')"); echo 'Your vote has been added. Click <a href="vote.php">here</a> to view the updated totals.'; } How can I make it safer against SQL injection? Thanks I want to know which part of my script has the hole..as i can find lots of php script and even folder can be injected into my public_html how they do that, and which part need to be checked? is that the upload part <enctype> or what?? thanks in advance i just want to ask this simple question let say i have this basic query $place=$_GET['place']; mysql_query("SELECT * FROM table WHERE place='$place'"); this is a nice target for sql injection.. but what if i replace the whole special characters that could be added $replacethis=array("-","`"); $withthis=array("",""); $place=str_replace($replacethis,$withthis,$_GET['place']); mysql_query("SELECT * FROM table WHERE place='$place'"); Are they still able to do the basic sql injection by trying to get the error by adding special character although i didn't use mysql_real_escape_string() ?? then what if i protect the file by changing the setting of the permission to either 644 or 755? thanks in advance Hi, I'm sure many of you heard of "pastebin", if not the short of it, is that you can submit your code (+100 languages), and you can display it to your friends via a link with syntax highlighting available. So, One way to store the code is surely in txt files, but I would really prefer to have it stored in a mysql database. My only concern is people trying to run a sql injection, so how do i get around all this? I don't want the user's content to be changed, but I don't want SQL injections either.. is this even possible at all? Any tips appreciated, also if you could think of another alternative than txt files and mysql. Will this prevent a SQL injection? I am guessing the answer is no because it is too simple. // retrieve form data ========================================== $ama = $_POST['ama']; // Check for alphanumeric characters ===================================== $string = "$ama"; $new_string = preg_replace("/[^a-zA-Z0-9\s]/", "", $string); // echo $new_string; // Send query =========================================================== $query = "SELECT * FROM members WHERE ama='$new_string'"; if (!mysql_query($query)){ die('Error :' .mysql_error()); } Based on the comments on my previous question, took some tutorials on how to avoid injections on query. Does the code below prevents against it in any way.? Secondly, can you recommend a good article that writes well in how to secure input data by users. Please be kind with your comments.😉😉. Thankks in advance.
The code works fine.
<?phpÂ
include 'db.php';
error_reporting(E_ALL | E_WARNING | E_NOTICE);
ini_set('display_errors', TRUE);
 if(isset($_POST['submit']))
 {
  Â
 $username = $_POST['username'];Â
$password = Â ($_POST['password']);Â
$sql = "SELECT * FROM customer WHERE username = ?";
$stmt = $connection->prepare($sql);Â
$stmt->bind_param('s', $username);
$stmt->execute();
$result = $stmt->get_result();
$count = Â $result->num_rows;
  if($count == 1)Â
             {
while ($row = $result->fetch_assoc())
 {
  if ($row['status'] == 'blocked')
 {
 echo'your account is suspended'
  session_destroy();
  exit();
 }
 else if($row['status'] == 'active')
{
if($username !== $row['username'])Â
 {Â
echo '<script>swal.fire("ERROR!!", " Username is not correct. Check Again", "error");</script>';
}Â
if($password !== $row['password'])Â
{
 echo'<script>swal.fire("ERROR!!!", "Your Password is Incorrect. Check Again.", "error");</script>';    Â
}
if($username == $row['username'] && $password == $row['password'])Â
{Â
header('Location:cpanel/');
else
{
}
}//if count
}//while loop
}//submit
?>
 How can you protect mysql injection? (from inserting different statements into the input field) Thanks |
|||||||