If you're allowing the user to input data, and you're not being wary of quotes, you are open for SQL injection. The links I provided you with explain this in better detail than I am capable of
In the example you posted above, SQL injection is possible.
Originally Posted by Travis
I think that included files can be solved by setting the permissions to the included files so that only the server can access them? I think maybe the php.ini is setup initially so that this cannot happen. It's just a matter of figuring out how your host is set up really.
|
By default, PHP scripts usually have a CHMOD of 644, which means everyone can read the file but only the owner can write and on the Apache web server (I haven't worked with any other web server so I will talk about Apache only), when it is started, it is started as the root user and then forks childs with less permissions...so Apache is pretty secure, so that's one good thing about it.
Now about what you've said...if I was MaliciousUserX and I wanted to include my malicious script in your page so I can echo some important data such as DB details, I would simple give my script on my server a CHMOD of 644 which means anyone can read...
So, like I said, make sure a file exists before including it. I can post some code if anyone wants to see some.
Originally Posted by Travis
Ah I just tried it... php automatically adds escape characters to quotes hence I don't really see how sql injection attacks occur (maybe this was only an old problem which was not considered in earlier versions of php)
|
PHP only adds slashes depending on the get_magic_quotes_gpc() directive in php.ini (GPC = GET, POST, COOKIE)
See:
http://www.php.net/get_magic_quotes_gpc
Originally Posted by madpenguin2
Another way to prevent an sql injection attack from deleting your db or table. Use a different mysql username that has limited rights (cannot delete or alter) on the db during the login. Once the user is logged in, its likely they will need to alter/add/delete records, so you'll probably have to go back to using a mysql username that has full access rights. But, it's just my two cents.
|
madpenguin2 makes a valid point there but this won't stop someone from extracting data from the db since that would involve a simple SELECT statement which is a read and all databases must be readable.
Originally Posted by Travis
Important!
Testing that lead me to a thought about Koobi's code above. If php automatically escapes those characters Koobi's code would make it go back the other way. As a result I in fact decided to try using Koobi's function and found some staggering results!
I hate to say it but using the function koobi said above is sceptable to sql injection attacks . Don't try any thing fancy just make sure you put the users input into the quotes and php will take care of the rest!!!
|
Ref. to the reply below
Originally Posted by Travis
Ok I am figuring things out as I go here.
get_magic_quotes_gpc -- Gets the current configuration setting of magic quotes gpc
If this is on (1) php automatically adds slashes. If it is off (0) php does not add slashes so you should automatically addslashes.
Koobi's code does add slashes if it is off which is good. The problem is it strips slashes if it is on which is bad.
I will rewrite a better way of doing it in the next post:
|
You're not following my code carefully.
It addslashes() if get_magic_quotes_gpc() is not on, period.
It ONLY stripslashes() if the second parameter of the function is set to boolean FALSE which is NECESSARY to output your text otherwise it will be slash-hell.
Refer to this post:
http://talkfreelance.com/showpost.ph...62&postcount=3
I've shown you the two instances on how to use the function for both input and output. Try it out and you will understand what it does.
Originally Posted by Travis
I think this is all you really need to do but I haven't tested it nor thought of other types of queries that might stuff this up. When I get a chance I will test it and think about it a bit more.
PHP Code:
<?php
function escapeSql($badQuery) {
$badQuery = (get_magic_quotes_gpc()) ? $badQuery : addslashes($badQuery);
return $badQuery;
}
?>
|
This code will only work for input, not output which is why I added the extra bit of code in my function...and you've switched the addslashes() function around...
Look this up:
http://www.php.net/mysql_real_escape_string
Hope it helps
Read up about SQL injection on the net. There's many ways to do this and there's very simple ways you can prevernt this. You can bring a whole DB down or gain admin access via SQL injection. It's sad to see many sites on the net allowing SQL injection :/