I've been performing search after search all over the internet reading
up on all topics about making PHP secure with MySQL. There's a lot out
there and not many concrete examples on how you should specifically
incorporate secure code.
But I did read up on the mysql_escape_st ring function and wonder...is
this all I really need to use to keep attackers from trying to access
my database from a web form?
I've also seen uses of:
$query=preg_rep lace("/;/"," ",$query);
:to keep attackers from throwing in unwanted semi-colons into the
query statement.
With the exception of validating my variables (which I've started
getting into the habit of doing), does the above cover my security
needs for MySQL injections?
--Matt
10  4779 
Matthew Sims wrote: I've been performing search after search all over the internet reading
up on all topics about making PHP secure with MySQL. There's a lot out
there and not many concrete examples on how you should specifically
incorporate secure code.
But I did read up on the mysql_escape_st ring function and wonder...is
this all I really need to use to keep attackers from trying to access
my database from a web form?
I've also seen uses of:
$query=preg_rep lace("/;/"," ",$query);
:to keep attackers from throwing in unwanted semi-colons into the
query statement.
With the exception of validating my variables (which I've started
getting into the habit of doing), does the above cover my security
needs for MySQL injections?
SQL injection doesn't just affect PHP and MySQL. It affects a wide variety
of programming languages and DBMSs if the code is not written to test for
it and can be injected.
You don't need to test for semi-colons as long as you are ensuring the type
of data is really what it should be and that quotes in strings are slashed
to prevent the hacker passing something like '; delete from '
As soon as the quotes are slashed in the above example the semi-colon etc
will just be part of a string which is saved into a database field or used
in a select query.
To ensure an integer really is an integer you can it like so:
$its_an_int = (int)$it_may_be _anything;
If the value is not an integer $its_an_int will be set to 0.
--
Chris Hope
The Electric Toolbox - http://www.electrictoolbox.com/
I noticed that Message-ID: <10************ @news.athenanew s.com> from
Chris Hope contained the following: You don't need to test for semi-colons as long as you are ensuring the type
of data is really what it should be and that quotes in strings are slashed
to prevent the hacker passing something like '; delete from '
I don't think My SQL will do that anyway.
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
Geoff Berrow wrote: I noticed that Message-ID: <10************ @news.athenanew s.com> from
Chris Hope contained the following:
You don't need to test for semi-colons as long as you are ensuring the
type of data is really what it should be and that quotes in strings are
slashed to prevent the hacker passing something like '; delete from '
I don't think My SQL will do that anyway.
It will. I did it in a testing environment a couple of years back by passing
in the GET string a character string when an integer was expected. This
caused a database error and the error message was displayed on the page. I
then used what was in the error message (which contained the full sql
string - and yes, this does happen in live sites) to construct a valid end
to the expected query and then added a delete query with the semi-colon.
Voila, all data in the table deleted.
--
Chris Hope
The Electric Toolbox - http://www.electrictoolbox.com/
"Chris Hope" <ch***@electric toolbox.com> wrote in message
news:10******** ****@news.athen anews.com... Matthew Sims wrote:
I've been performing search after search all over the internet reading
up on all topics about making PHP secure with MySQL. There's a lot out
there and not many concrete examples on how you should specifically
incorporate secure code.
But I did read up on the mysql_escape_st ring function and wonder...is
this all I really need to use to keep attackers from trying to access
my database from a web form?
I've also seen uses of:
$query=preg_rep lace("/;/"," ",$query);
:to keep attackers from throwing in unwanted semi-colons into the
query statement.
With the exception of validating my variables (which I've started
getting into the habit of doing), does the above cover my security
needs for MySQL injections?
SQL injection doesn't just affect PHP and MySQL. It affects a wide variety
of programming languages and DBMSs if the code is not written to test for
it and can be injected.
You don't need to test for semi-colons as long as you are ensuring the
type of data is really what it should be and that quotes in strings are slashed
to prevent the hacker passing something like '; delete from '
As soon as the quotes are slashed in the above example the semi-colon etc
will just be part of a string which is saved into a database field or used
in a select query.
To ensure an integer really is an integer you can it like so:
$its_an_int = (int)$it_may_be _anything;
If the value is not an integer $its_an_int will be set to 0.
I have posted this previously:
function sql() {
$args = func_get_args() ;
$format = array_shift($ar gs);
for($i = 0, $l = count($args); $i < $l; $i++) {
$args[$i] = mysql_escape_st ring($args[$i]);
}
return vsprintf($forma t, $args);
}
$sql = sql("SELECT * FROM tblChicken WHERE pkChicken = %d", $id)
A fairly elegant way to deal with SQL injection, methinks.
"Chris Hope" <ch***@electric toolbox.com> wrote in message
news:10******** ****@news.athen anews.com... I don't think My SQL will do that anyway.
It will. I did it in a testing environment a couple of years back by
passing in the GET string a character string when an integer was expected. This
caused a database error and the error message was displayed on the page. I
then used what was in the error message (which contained the full sql
string - and yes, this does happen in live sites) to construct a valid end
to the expected query and then added a delete query with the semi-colon.
Voila, all data in the table deleted.
A new feature apparently in v.4.1. See http://dev.mysql.com/doc/mysql/en/C_...e_queries.html.
On the other hand, I just looked at the source code and PHP doesn't set the
CLIENT_MULTI_ST ATEMENTS flag when it connects. So that it works is a bit of
a mystery.
Chung Leong wrote: I have posted this previously:
function sql() {
$args = func_get_args() ;
$format = array_shift($ar gs);
for($i = 0, $l = count($args); $i < $l; $i++) {
$args[$i] = mysql_escape_st ring($args[$i]);
}
return vsprintf($forma t, $args);
}
$sql = sql("SELECT * FROM tblChicken WHERE pkChicken = %d", $id)
A fairly elegant way to deal with SQL injection, methinks.
Very nice piece of code. I currently use the PEAR DB classes in all my
projects and using the "prepare" method it does all the work for you.
It works along the lines of:
$res = $db->prepare('selec t from tablename where id = ?');
$db->execute($res , array($value_fr om_form));
--
Chris Hope
The Electric Toolbox - http://www.electrictoolbox.com/
Geoff Berrow <bl******@ckdog .co.uk> wrote in message news:<bg******* *************** **********@4ax. com>... I noticed that Message-ID: <10************ @news.athenanew s.com> from
Chris Hope contained the following:
You don't need to test for semi-colons as long as you are ensuring the type
of data is really what it should be and that quotes in strings are slashed
to prevent the hacker passing something like '; delete from '
I don't think My SQL will do that anyway.
I read that MySQL 4.1 would allow more than 1 statement in a query. http://groups.google.com/groups?hl=e...6btnG%3DSearch
Chris Hope wrote: Geoff Berrow wrote:
I noticed that Message-ID: <10************ @news.athenanew s.com> from
Chris Hope contained the following:
You don't need to test for semi-colons as long as you are ensuring the
type of data is really what it should be and that quotes in strings are
slashed to prevent the hacker passing something like '; delete from '
I don't think My SQL will do that anyway.
It will. I did it in a testing environment a couple of years back by
passing in the GET string a character string when an integer was expected.
This caused a database error and the error message was displayed on the
page. I then used what was in the error message (which contained the full
sql string - and yes, this does happen in live sites) to construct a valid
end to the expected query and then added a delete query with the
semi-colon. Voila, all data in the table deleted.
I'll just correct myself there, as I just ran another test for semi-colons
in MySQL... in 4.0.x you do not appear to be able to run multiple queries
separated by semi-colons (although another post indicates this may be the
case in 4.1).
I think the test I did must have been against PostgreSQL and not MySQL.
--
Chris Hope
The Electric Toolbox - http://www.electrictoolbox.com/
I noticed that Message-ID: <gZ************ ********@comcas t.com> from
Chung Leong contained the following: A new feature apparently in v.4.1.
Glad I wasn't totally misremembering :-)
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/ This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Sarah Tanembaum |
last post by:
I was wondering if it is possible to create a secure database system
using RDBMS(MySQL, Oracle, SQL*Server, PostgreSQL etc) and web
scripting/programming language(Perl, PHP, Ruby, Java, ASP, etc) combination?
I have the following in mind:
I wanted to store all my( and my brothers and sisters) important
document
information such as birth certificate, SSN, passport number, travel
documents, insurance(car, home, etc) document, and other...
|
by: de Beers |
last post by:
mysql_query("DELETE FROM cart WHERE ItemId=$ItemId");
There is the code but the result in my databse is that the ID number changes
from, lets say, 77 to 78 with 78's contents being empty. Therefore when I
look at the results - the deleted ID77 is gone but now I have ID78 with no
content!
Does anyone know why and how do I make it stop?
MIchael
|
by: peter |
last post by:
I have taken over the website duties at work. I am still learning PHP
and MySQL. I want to have a form where the user enters some finacial
info and it is stored in a database. It, obviously, needs to be
secure. I know how to make the input form secure. But what about
retrieving the data? I was thinking I would use a password-protected
secure form for that. Is that enough? What if I happen to view the
records using PhpMyAdmin? Does...
|
by: knal |
last post by:
Hi there,
I'm looking for a secure login script for a sort-of-community site...
(PHP, MySQL, sessions, or maybe something else ... )
I know there are a lot of scripts out there, but none of them really
seem secure, or have other kind of flaws (like IP based login etc.).
Why i'm asking here, is because there's experience out there, and i
hope experience can tell me what my best shot is. I'm aware that i will
very probably have to do...
|
by: walterbyrd |
last post by:
I honestly don't know. But, I have seen articles and posts about how
PHP is terribly insecure. I don't usually see comparisons to other
common web languages.
I think the big vulnerablity is supposed to be code injections.
Another security issue would be having code stolen, but I think that
PHP can be protected from that.
Obviously, I don't know a lot about it.
| | |
by: harvey |
last post by:
How do I make PHP create a database for mysql please?
I can see how to make tables and I have read all the documents
I can find but I don't understand how to make the database itself.
All the tutorials I can find seem to bypass the issue by ignoring it?
Am I missunderstanding something?
|
by: macca |
last post by:
Hi,
What should I be using for general MySQL database access? I've been
using the traditional mysql extension for ages, but I'm trying to
update my style to a more OOP paradigm.
I've used PDO briefly but I've not used the mysqli extension yet.
I've read a bit about it though, seems good and more OOP orientated
(for the most part). But PDO seems more generic and transferable.
|
by: miguel22 |
last post by:
What is the best and easy way to prevent MySQL Injections?
Thank you.
|
by: whitep8 |
last post by:
Hi all,
Im busy trying to move from archaic php to lovely OO php, but i have hit a hurdle.
The following two scripts connect, request data to be inserted, and is meant to store it, but it doesnt and i get no errors.
for my own sanity can you advise?
Thank you
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
