|
Posted by Bostjan Skufca @ domenca.com on 05/11/05 21:03
it depends
by having register_globals set to on (server config) it is usually easier to create
sql-injection exploit, but it is not required. What is true is that well written script
will defend/sustain such attacks regardles how server is configured
(unless configuration is really f*cked up).
Prevention is simply trying to follow few simple rules:
1. SQL statemens that have no PHP variables are NOT vulnerable:
$sql = 'SELECT value FROM values WHERE key = 123';
$db->query($sql);
(nothing vulnerable here)
2. If you do not check what you are putting into SQL statements via
PHP variables - add slashes and put it in quotes:
($key = 123;) - you get this from some kind of form or URI
$key_as = addslashes($key); // you should check if slashes were already added by php (magic_quotes)
$sql = "SELECT value FROM values WHERE key = '$key'";
$db->query($sql);
3. If you do not put your variable into quotes - check it!
if (!preg_match('/^[0-9]+/', $key)) {
echo "Hack attempt!"; exit;
}
$sql = "SELECT value FROM values WHERE key = $key";
$db->query($sql);
(if you will not check it anything can get into your sql statement)
4. All the above assumes you have already assessed potential remote file inclusion vulnerabilities.
Regards,
Bostjan
On Wednesday 11 May 2005 14:15, virtualsoftware@gmail.com wrote:
> I have a site and the other days i received a message from a guy that told
> me my site is vulnerable to mysql injections. I do not know how can i
> prevent this. The server is not configured or it's all about the script?
>
>
> ----- Original Message -----
> From: "Bostjan Skufca @ domenca.com" <bostjan.skufca@domenca.com>
> To: <php-general@lists.php.net>
> Sent: Wednesday, May 11, 2005 1:50 PM
> Subject: Re: [PHP] MySql injections....
>
> > Probably you mean about "prevening mysql injections" - or not? :)
> >
> > Bostjan
> >
> > On Wednesday 11 May 2005 11:38, virtualsoftware@gmail.com wrote:
> >> Hi,
> >> This is not the proper list to put this question but i hope you can help
> >> me. Does anyone know a good tutorial about mysql injections?
> >>
> >> Thanks a lot for your help
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
[Back to original message]
|