|
PHP - Sql Injection Attempts... Should I Be Worried
(I'm putting this in PHP since it's not a question specific to MySQL or other DB stuff.)
I have a page that uses the GET id to find a product. GET variables are sanitized, and the SQL string is escaped even though it's expecting a number only. So the code seems safe to me. I'm getting some error_log results that appear to be hack attempts:
SELECT
Similar TutorialsHello I'm on the verge of damaging my computer, please help... The below is my first PHP script - it works about once every 20 attempts, sending the email message. I've tried moving the header bit around, so it's inside the if statement, but it is still only intermittently successful. For the sake of this PC, please help out Best Wishes <? function checkOK($field) { if (eregi("\r",$field) || eregi("\n",$field)){ die("Invalid Input!"); } } $select=$_POST['select']; checkOK($select); $name=$_POST['name']; checkOK($name); $email=$_POST['email']; checkOK($email); $confirmail=$_POST['confirmail']; checkOK($confirmail); $month=$_POST['month']; checkOK($month); $day=$_POST['day']; checkOK($day); $year=$_POST['year']; checkOK($year); $leaving=$_POST['leaving']; checkOK($leaving); $hour=$_POST['hour']; checkOK($hour); $minutes=$_POST['minutes']; checkOK($minutes); $ampm=$_POST['ampm']; checkOK($ampm); $going=$_POST['going']; checkOK($going); $flightnumber=$_POST['flightnumber']; checkOK($flightnumber); $pay=$_POST['pay']; checkOK($pay); $song=$_POST['song']; checkOK($song); $comments=$_POST['comments']; checkOK($comments); $to="beepbeepyeah@kabeoke.com"; $message="Message Type: $select\n\nName: $name\n\nEmail: $email\n\n$confirmail\n\nDate of Journey: $month, $day, $year\n\nLeaving From: $leaving\n\nDeparture Time: $hour:$minutes $ampm\n\nGoing to: $going\n\nFlight Number: $flightnumber\n\nPayment Method: $pay\n\nSong Requests: $song\n\nComments: $comments"; header('Location:http://www.kabeoke.com'); if(mail($to,"Slap it - booking/enquiry from Kabeoke.com!",$message,"From: $email\n")){ } else { echo "There was a problem sending the mail. Please check that you filled in the form correctly."; } ?> I wrote a small PHP with SQLite script which stores the IP with counter, it works fine with one problem, If I enter the correct password 4th time the counter becomes 4 and I get the error to enter my captcha. All the other times, 1-3 and 5 and above count it just works fine. What am I doing wrong with the logic.
Attaching the zip file with code.
https://drive.google...dit?usp=sharing
I want to limit the number of incorrect login attempts within a specified time period (e.g. 15 minutes). I'm wondering what I should tie those attempts to. e.g. If too many attempts from one ip address for a specific username, lock them out for 15 minutes? Or too many attempts from any ip address for a specific username? Or too many attempts for an ip address matched loosely (i.e. 255.255.255.0 matching) with a specific username? What's the best choice? Just too many attempts for a username? Or also use the ip address? And should I store the attempts in the session, or the DB? Hi everybody, I want to build a script that lets someone register with a simple form that logs all activity into a MySQL db. The thing is, I want to log all attempts to signup into the system even if they do not satisfy password strength, or the required fields criteria. In the following code, the string "email" isn't being used. The field named 'name' is what I'm using to collect the email, and the field named 'msg' is what I'm using to collect the password. I've gotten to the point where if they don't provide anything for either email or password, then it directs them to the same page and it asks them to re enter their information. but I can't seem to capture the attempt (so if they enter an email but not a pass, i still want to know what email they entered). I'm getting this error Parse error: syntax error, unexpected T_ELSE in /hermes/bosweb25c/b1454/ipg.domainname/nameofsite/contact_insert2.php on line 41 Line 41 corresponds to the line with the first "else{" I'm really not sure what to do, it seems straight forward when I think it through in my head. If pass or email field is empty, enter it into the db, and then send them back to the beginning, if pass or email field not empty, continue in script. Code: [Select] <?php define('DB_NAME', 'dbname'); define('DB_USER', 'phpchick'); define('DB_PASS', 'password'); define('DB_HOST', 'localhost'); // contact to database $connect = mysql_connect(DB_HOST, DB_USER, DB_PASS) or die('Error , check your server connection.'); mysql_select_db(DB_NAME); //Get data in local variable $v_name=$_POST['name']; $v_email=$_POST['email']; $v_msg=$_POST['msg']; // check for null values if ($v_name=="" or $v_msg=="") $query="insert into contact(name,email,msg) values('$v_name','$v_email','$v_msg')"; mysql_query($query) or die(mysql_error()); echo " <head> <link rel=\"stylesheet\" type=\"text/css\" href=\"http://site.com/signup.css\"></head> <h2>Free Registration</h2> <form action=\"contact_insert2.php\" method=\"POST\" id=\"insert\"> <table> <tr> <td >Email</td> <td ><input type=\"text\" size=40 name=\"name\"></td> </tr> <tr> <td >Password</td> <td ><input type=\"password\" size=40 name=\"msg\" ></td> </tr> You must enter an email and password. <tr> <td colspan=2 id=\"sub\"><input type=\"submit\" name=\"submit\" value=\"submit\" ></td> </tr> </Table> </form>"; else{ if (strcspn($_REQUEST['msg'], '0123456789') == strlen($_REQUEST['msg'])) echo "true"; else{ $query="insert into contact(name,email,msg) values('$v_name','$v_email','$v_msg')"; mysql_query($query) or die(mysql_error()); echo "Your message has been received"; } } ?> hope you all had a good Christmas/New Year. I wish to lockout the user for (3) minutes if they get (4) wrong username/password attempts in (5) minutes.
Is this typically tied to a single IP using $_SERVER['REMOTE_ADDR']?
Is it a good ideal to also check for a given username but from any IP? I might be wrong, but I assume the value in $_SERVER['REMOTE_ADDR'] is under the user's control.
Obviously, a session wouldn't be ideal as the associated cookie is under the user's control. Do I need to use the database or is there a better way?
Any thoughts or advise would be appreciated.
I've got a somewhat simple problem I think.. I'm working on a uni practical, and one of the checkpoints is to limit the number of incorrect login attempts to 2. I know I could do this very easily with session variables, however on the practical sheet, it says that we're not allowed to modify any of the partially implemented code. So I was wondering, what other ways are there to track the number of incorrect logins? If it comes to it, I will just use session variables, as it's pretty much the most sensible way I'd imagine.. but would like to know of any other possible ways.. Cheers Denno I'm trying to sort out a piece of code, my development web server is set to show all errors. I'm currently getting 50+ 'Undefined Index' errors upon initial load (they all disappear after form submission since all variables are in use). Should I be worried, and add a if(isset(.....)){...} wrapper or do most people just leave it be? Hello, I have a problem with writing a function that will display the number of attempts to communicate with the host that have not been answered, if the host starts responding again, the table should display, for example 0. The website addresses are taken from the MySQL database. The next column should display the time from which the communication with the host was lost and if it responds, it should display, e.g. OK. Please, give me some hints how to write it. Thanks in advance. Edited October 12, 2019 by xyz91I am wanting to create a basic product listing page for a product category called "Belts". My latest attempt was this, but I got an error: PHP Code: Code: [Select] $query = "select * from products"; $result = mysql_query($query); while($row=mysql_fetch_assoc($result)) { print ".$row['name'] where category = 'Belts'.$row['colour'] where category = 'Belts'"; } Quote PHP Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING This is what my MySQL table looks like: http://i54.tinypic.com/2j1si8w.png I image what I am trying to do will print "Somename Black, ProductName2 Brown"? I'm not really interested in styling at the moment, I just want to see the PHP-MySQL work at the most basic level. I am unsure what the error cosde means. Can anyone see a fault in my code? I'm confused, can this result in css/sql injection? Code: [Select] if(isset($_GET['action'])){ if($_GET['action'] == 'details'){ $cupID = $_GET['cupID']; $ergebnis = safe_query("SELECT gameaccID, name, start, ende, typ, game, `desc`, status, checkin, maxclan, gewinn1, gewinn2, gewinn3 FROM ".PREFIX."cups WHERE ID = '".$cupID."'"); $ds=mysql_fetch_array($ergebnis); ... Some german fellow was explaining, translate to English briefly: "$ CupID is not escaped. NEN here I could just "; DROP TABLE` cups `Paste and your table is no longer available eez. Or I could inject javascript, your current session read out, accept it and act as an admin ... " I am trying to understand what he means by this... is this query vulnerable to an injection and why/how? I am having a wamp issue so I can't try these out right now. According to the book I'm learning php with, I can easily avoid injection attacks this way:
$a= stripslashes($a);
$a= mysql_real_escape_string($a);
What concerns me is the repetition of the variable, $a. Does it matter? Intuitively, it should.
$a changes. By the time $a hits mysql_real_escape_string it is slash-free. So it is a totally different "value" but still contained in the original variable which may have had slashes...just has me concerned a bit.
I know PDOs are the best way. I'm not there yet, unfortunately.
Edited by baltar, 23 May 2014 - 10:36 AM. Hi, I'm sure many of you heard of "pastebin", if not the short of it, is that you can submit your code (+100 languages), and you can display it to your friends via a link with syntax highlighting available. So, One way to store the code is surely in txt files, but I would really prefer to have it stored in a mysql database. My only concern is people trying to run a sql injection, so how do i get around all this? I don't want the user's content to be changed, but I don't want SQL injections either.. is this even possible at all? Any tips appreciated, also if you could think of another alternative than txt files and mysql. I want to know which part of my script has the hole..as i can find lots of php script and even folder can be injected into my public_html how they do that, and which part need to be checked? is that the upload part <enctype> or what?? thanks in advance Based on the comments on my previous question, took some tutorials on how to avoid injections on query. Does the code below prevents against it in any way.? Secondly, can you recommend a good article that writes well in how to secure input data by users. Please be kind with your comments.😉😉. Thankks in advance.
The code works fine.
<?php
include 'db.php';
error_reporting(E_ALL | E_WARNING | E_NOTICE);
ini_set('display_errors', TRUE);
if(isset($_POST['submit']))
{
$username = $_POST['username'];
$password = ($_POST['password']);
$sql = "SELECT * FROM customer WHERE username = ?";
$stmt = $connection->prepare($sql);
$stmt->bind_param('s', $username);
$stmt->execute();
$result = $stmt->get_result();
$count = $result->num_rows;
if($count == 1)
{
while ($row = $result->fetch_assoc())
{
if ($row['status'] == 'blocked')
{
echo'your account is suspended'
session_destroy();
exit();
}
else if($row['status'] == 'active')
{
if($username !== $row['username'])
{
echo '<script>swal.fire("ERROR!!", " Username is not correct. Check Again", "error");</script>';
}
if($password !== $row['password'])
{
echo'<script>swal.fire("ERROR!!!", "Your Password is Incorrect. Check Again.", "error");</script>';
}
if($username == $row['username'] && $password == $row['password'])
{
header('Location:cpanel/');
else
{
}
}//if count
}//while loop
}//submit
?>
Hello, I have a video game site - mostly vBulletin which is fine but there are a few extra bits to the site that I have done myself. I'm pretty new to PHP so my code isn't great. Anyway, I wanted to test my code for SQL Injection but I looked on Google and most of the tools seemed to come from hacker sites etc which I'm not downloading. I eventually found an addon for Firefox called SQL Inject Me and ran that. It said everything was alright but when I checked my MySQL tables they were full of junk code it had inserted. One of my pages doesn't even have any visible fields. It's just a page with a voting submit button and some hidden fields so how does it inject the code into the tables? The insert page code is: Code: [Select] $db = mysql_connect("localhost", "username", "password"); mysql_select_db("thedatabase",$db); $ipaddress = mysql_real_escape_string($_POST['ipaddress']); $theid = mysql_real_escape_string($_POST['theid']); $gamert = mysql_real_escape_string($_POST['gamert']); $serveron = mysql_real_escape_string($_POST['serveron']); $check= mysql_query("select * from voting2 where ipaddress='$ipaddress'"); $ipname = mysql_fetch_assoc($check); if($ipname['ipaddress'] == $ipaddress) { echo 'It appears you have already voted. Click <a href="vote.php">here</a> to return to the votes.'; } else { mysql_query ("INSERT INTO voting2 (theid,ipaddress,gamert,serveron2) VALUES ('$theid','$ipaddress','$gamert','$serveron')"); echo 'Your vote has been added. Click <a href="vote.php">here</a> to view the updated totals.'; } How can I make it safer against SQL injection? Thanks I'm trying to use dependency injection to pass a database connection to an object but I'm not sure why it's not working. I have my "dbClass" below that connects to a MySQL database. Code: [Select] class dbClass { public $db; function __construct() { $this->db = mysql_connect("localhost","username","password") or die ('Could not connect: ' . mysql_error()); return $this->db; } } Then I have my "baseClass". This is the class that I want to feed to connection too. Code: [Select] class baseClass { public $mysql_conn; function __construct($db) { $this->mysql_conn = $db; $rs = mysql_select_db("webdev_db", $this->mysql_conn) or die ('Could not connect: ' . mysql_error()); } } And this is my index.php file. The error I'm getting is "supplied argument is not a valid MySQL-Link resource". However I tripled checked and my db connection details are definately correct. Code: [Select] $db = new dbClass(); $baseclass = new baseClass($db); Thanks for any help. i just want to ask this simple question let say i have this basic query $place=$_GET['place']; mysql_query("SELECT * FROM table WHERE place='$place'"); this is a nice target for sql injection.. but what if i replace the whole special characters that could be added $replacethis=array("-","`"); $withthis=array("",""); $place=str_replace($replacethis,$withthis,$_GET['place']); mysql_query("SELECT * FROM table WHERE place='$place'"); Are they still able to do the basic sql injection by trying to get the error by adding special character although i didn't use mysql_real_escape_string() ?? then what if i protect the file by changing the setting of the permission to either 644 or 755? thanks in advance Will this prevent a SQL injection? I am guessing the answer is no because it is too simple. // retrieve form data ========================================== $ama = $_POST['ama']; // Check for alphanumeric characters ===================================== $string = "$ama"; $new_string = preg_replace("/[^a-zA-Z0-9\s]/", "", $string); // echo $new_string; // Send query =========================================================== $query = "SELECT * FROM members WHERE ama='$new_string'"; if (!mysql_query($query)){ die('Error :' .mysql_error()); } |
|||||||