How to I clean up SQL hacking such as this:
/?PAGE=mycode.php&filter_in_url=%27+and+%27a%27%3D% 27b%27+UNION+ALL+SELECT+my_table%2C+my_table%2C+my _field%2C+<snip>+FROM+another_table+%23
I've got 'filter_in_url' that searches & limits the display but got
hacked with something like the above line. I just want a couple words
but not huge long malicious type stuff obviously. I will sometimes need
to have quotes in the filter string (%27) although now that I check this
doesn't currently work but I guess that's a separate issue. I'm not even
sure what the %2C or %23 are doing. I suppose I could truncate the
filter to a couple dozen characters, there probably isn't much that
could be done in the length that I need.
My current approach is to str_replace 'JOIN' 'DROP' etc. This is not a
high security web page, really boring stuff, just some hacker got bored
& decided to pick on it for fun.
Thanks 7 1796
On Wed, 22 Mar 2006 21:52:11 +0000, Paul Furman wrote: How to I clean up SQL hacking such as this: /?PAGE=mycode.php&filter_in_url=%27+and+%27a%27%3D% 27b%27+UNION+ALL+SELECT+my_table%2C+my_table%2C+my _field%2C+<snip>+FROM+another_table+%23 I've got 'filter_in_url' that searches & limits the display but got hacked with something like the above line. I just want a couple words but not huge long malicious type stuff obviously. I will sometimes need to have quotes in the filter string (%27) although now that I check this doesn't currently work but I guess that's a separate issue. I'm not even sure what the %2C or %23 are doing. I suppose I could truncate the filter to a couple dozen characters, there probably isn't much that could be done in the length that I need.
My current approach is to str_replace 'JOIN' 'DROP' etc. This is not a high security web page, really boring stuff, just some hacker got bored & decided to pick on it for fun.
Thanks
I'd go with passing each of your parameter through: http://uk.php.net/mysql-real-escape-string
It will escape all quotes properly.
Cheers,
Andy
--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer http://www.gphpedit.org | PHP editor for Gnome 2 http://www.andyjeffries.co.uk | Personal site and photos
Andy Jeffries wrote: On Wed, 22 Mar 2006 21:52:11 +0000, Paul Furman wrote:
How to I clean up SQL hacking such as this: /?PAGE=mycode.php&filter_in_url=%27+and+%27a%27%3D% 27b%27+UNION+ALL+SELECT+my_table%2C+my_table%2C+my _field%2C+<snip>+FROM+another_table+%23 I've got 'filter_in_url' that searches & limits the display but got hacked with something like the above line. I just want a couple words but not huge long malicious type stuff obviously. I will sometimes need to have quotes in the filter string (%27) although now that I check this doesn't currently work but I guess that's a separate issue. I'm not even sure what the %2C or %23 are doing. I suppose I could truncate the filter to a couple dozen characters, there probably isn't much that could be done in the length that I need.
My current approach is to str_replace 'JOIN' 'DROP' etc. This is not a high security web page, really boring stuff, just some hacker got bored & decided to pick on it for fun.
Thanks
I'd go with passing each of your parameter through:
http://uk.php.net/mysql-real-escape-string
It will escape all quotes properly.
But if I want to use quotes, that would remove them right? There are
cases where the user input should have quotes with my application.
Paul Furman <paul-@-edgehill.net> wrote in
news:ub*****************@newssvr27.news.prodigy.ne t: Andy Jeffries wrote:
On Wed, 22 Mar 2006 21:52:11 +0000, Paul Furman wrote:
How to I clean up SQL hacking such as this: /?PAGE=mycode.php&filter_in_url=%27+and+%27a%27%3D% 27b%27
+UNION+ALL+SELECT+my_table%2C+my_table%2C+my_field%2C+<snip> +FROM+another_table+%
23I've got 'filter_in_url' that searches & limits the display but got hacked with something like the above line. I just want a couple words but not huge long malicious type stuff obviously. I will sometimes need to have quotes in the filter string (%27) although now that I check this doesn't currently work but I guess that's a separate issue. I'm not even sure what the %2C or %23 are doing. I suppose I could truncate the filter to a couple dozen characters, there probably isn't much that could be done in the length that I need.
My current approach is to str_replace 'JOIN' 'DROP' etc. This is not a high security web page, really boring stuff, just some hacker got bored & decided to pick on it for fun.
Thanks
I'd go with passing each of your parameter through:
http://uk.php.net/mysql-real-escape-string
It will escape all quotes properly.
But if I want to use quotes, that would remove them right? There are cases where the user input should have quotes with my application.
No, it will not remove them, it will escape them. That's why it's named
mysql-real-__escape__-string
- Bogdan
On Wed, 22 Mar 2006 23:35:54 +0000, Paul Furman wrote: I'd go with passing each of your parameter through:
http://uk.php.net/mysql-real-escape-string
It will escape all quotes properly.
But if I want to use quotes, that would remove them right? There are cases where the user input should have quotes with my application.
No, not remove - escape.
So it would convert:
INSERT INTO foo (bar) VALUES ('don't you');
(which is broken) in to :
INSERT INTO foo (bar) VALUES ('don\'t you');
so it inserts in to the database. This would stop your hacking attempts
because strings like: something' UNION ALL SELECT...
would become:
SELECT * FROM foo WHERE bar='something\' UNION ALL SELECT...';
It's quite safe and makes sure any quotes are inserted in to the column
you wrap in that function rather than breaking out in to separate SQL
statements or clauses.
Cheers,
Andy
--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer http://www.gphpedit.org | PHP editor for Gnome 2 http://www.andyjeffries.co.uk | Personal site and photos
Andy Jeffries wrote: On Wed, 22 Mar 2006 23:35:54 +0000, Paul Furman wrote:
I'd go with passing each of your parameter through:
http://uk.php.net/mysql-real-escape-string
It will escape all quotes properly.
But if I want to use quotes, that would remove them right? There are cases where the user input should have quotes with my application.
No, not remove - escape.
So it would convert:
INSERT INTO foo (bar) VALUES ('don't you');
(which is broken) in to :
INSERT INTO foo (bar) VALUES ('don\'t you');
so it inserts in to the database. This would stop your hacking attempts because strings like: something' UNION ALL SELECT... would become:
SELECT * FROM foo WHERE bar='something\' UNION ALL SELECT...';
It's quite safe and makes sure any quotes are inserted in to the column you wrap in that function rather than breaking out in to separate SQL statements or clauses.
Thanks for the explanation. If I understand correctly then it would
allow me to use quotes when I want to as well as disabling malicious
quoting. That's great.
Andy Jeffries wrote: On Wed, 22 Mar 2006 21:52:11 +0000, Paul Furman wrote:
How to I clean up SQL hacking such as this: /?PAGE=mycode.php&filter_in_url=%27+and+%27a%27%3D% 27b%27+UNION+ALL+SELECT+my_table%2C+my_table%2C+my _field%2C+<snip>+FROM+another_table+%23
<snip> I'd go with passing each of your parameter through:
http://uk.php.net/mysql-real-escape-string
<snip>
The latest doctrine is to use prepared statement
<http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html>
--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/
On Thu, 23 Mar 2006 00:15:02 +0000, Paul Furman wrote: It's quite safe and makes sure any quotes are inserted in to the column you wrap in that function rather than breaking out in to separate SQL statements or clauses.
Thanks for the explanation. If I understand correctly then it would allow me to use quotes when I want to as well as disabling malicious quoting. That's great.
You understand correctly.
Cheers,
Andy
--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer http://www.gphpedit.org | PHP editor for Gnome 2 http://www.andyjeffries.co.uk | Personal site and photos This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Xizor |
last post by:
Ok, I'm new to PHP and MySQL. I've been going through tutorials, reading the
documentation, and looking through web sites. PHP to me seems great! With
MySQL it seems even better.
However, I'm an...
|
by: mos |
last post by:
I want to put a MySQL 4.1 database on a Win2k laptop but the problem is it
contains confidential client information. It has to be Window because
applications accessing the database are written in...
|
by: zzapper |
last post by:
Hi,
Although I'm gradually getting the hang of working with MySql, can do
a pretty mean query!! I realise I know nowt about security. Is
security basically done outside MySQL ie with https:// and...
|
by: news |
last post by:
We currently have our mySQL server on the same box as the Apache
server.
For security and load balancing, we're going to be moving the mySQL
server to another box.
We're already using a single...
|
by: KaHuNa |
last post by:
this code works perfectly when i use it on the server where mySQL is
installed, but i have a security error when i use it on a client computer.
I don't know how i can change that.
using...
|
by: Jim Carlock |
last post by:
I have a couple questions about MySQL involving which
version of MySQL to use.
I'm looking for minimal memory use on a Windows XP machine.
Which version would be best for this? And can anyone...
|
by: Richard |
last post by:
Hi All,
I've been trying to build a Ruby-on-Rails plus MySQL application. I'm
running Ruby 1.8.2, Rails 1.1.4 and MySQL 5.0.15-nt over
WinXP-Pro/SP2. I run under an Administrative account.
...
|
by: mistral |
last post by:
phpMyAdmin 2.6.2 problem: can no connects to mySQL database: each time
shown error #1045 - Access denied for user 'username'@'192.168.1.2'
(using password: YES)
Is seems, this is most common...
|
by: Coldfire |
last post by:
Since i cannot show the differences in a two-column like table. I am first putting
MS SQL Server 2005 and then MySQL 5.x.
MS SQL Server 2005
Brief Overview
- SQL Server is a full-fledged...
|
by: Atli |
last post by:
This is an easy to digest 12 step guide on basics of using MySQL. It's a great refresher for those who need it and it work's great for first time MySQL users.
Anyone should be able to get...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
| |