SQL injection and PHP spoofing

**Jeff North** · Dec 19 '06, 12:35 PM

Re: SQL injection and PHP spoofing

On Tue, 19 Dec 2006 06:37:22 -0500, in comp.lang.php bill
<nobody@spamcop .net>
<HLydnaQz665uUx rYnZ2dnUVZ_uS3n Z2d@cablespeedm i.comwrote:

Programming:PHP:SQL Injection - Wikibooks, open books for an open world

http://en.wikibooks.org/wiki/Programming:PHP:SQL_Injection

PHP: SQL Injection - Manual

http://www.php.net/manual/en/security.database.sql-injection.php

SQL Injection

fw_error_www

http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf

---------------------------------------------------------------
jnorthau@yourpa ntsyahoo.com.au : Remove your pants to reply
---------------------------------------------------------------

**Sandman** · Dec 19 '06, 12:35 PM

Re: SQL injection and PHP spoofing

In article <HLydnaQz665uUx rYnZ2dnUVZ_uS3n Z2d@cablespeedm i.com>,
bill <nobody@spamcop .netwrote:

MySQL newbie, not new to computing.
>
In my application I accept photos and data, some structured and
some free text. I store the information (but not the images) in a
MySQL database and then from that information I construct a web
page for the user.
>
The images are always displayed within an <img tag.
>
The text is displayed as part of the web page, within <ptags.
>
The users are all registered and (more or less) trusted individuals
>
<paranoid mode on>
>
1: Do I need to worry about SQL injection if I do not process the
incoming free form data ?

Worry? Maybe not. Prevent? Yes.

2: Do I need to worry about PHP statements being embedded in the
free form data ?

No. PHP statements in form data wont' be executed.

But, if they upload an "image" that really is "malware.ph p" and you
save it to disk and it can be browsed to through DOCUMENT_ROOT, then
it will be executed and it could do all sorts of nasty stuff.

3: if so, what is the best practices to protect my database/site ?

Make it ugly so no one will use it :-D

--
Sandman[.net]

**Erwin Moller** · Dec 19 '06, 12:45 PM

Re: SQL injection and PHP spoofing

bill wrote:

MySQL newbie, not new to computing.
>
In my application I accept photos and data, some structured and
some free text. I store the information (but not the images) in a
MySQL database and then from that information I construct a web
page for the user.
>
The images are always displayed within an <img tag.
>
The text is displayed as part of the web page, within <ptags.
>
The users are all registered and (more or less) trusted individuals
>
<paranoid mode on>
>
1: Do I need to worry about SQL injection if I do not process the
incoming free form data ?

Why do you let the visitor fill in data if you do not process it?

>
2: Do I need to worry about PHP statements being embedded in the
free form data ?

That depends 100% on what you do with the data.

A man walks into a shop and want to buy a knife.
He asks the guy behind the counter: "Do I have to worry this knife will be
used for something dangerous?"

>
3: if so, what is the best practices to protect my database/site ?

Understand how it works.
Understand how the underlying OS works.
Understand how the security is implemented.
Understand what users are and what rights are on both the OS and the
database.

>
<paranoid mode off>
>

The fact that you are paranoid, doesn't mean they are not after you.

It is good you ask yourself these questions, but don't expect us to answer
them in depth because security is a broad subject.

Regards,
Erwin Moller

**Toby Inkster** · Dec 19 '06, 01:05 PM

Re: SQL injection and PHP spoofing

bill wrote:

1: Do I need to worry about SQL injection if I do not process the
incoming free form data ?

Yes. Never, but never, trust user input. Always validate it and make sure
it can do no harm before doing anything else with it.

2: Do I need to worry about PHP statements being embedded in the
free form data ?

Probably not.

3: if so, what is the best practices to protect my database/site ?

The MySQL module provides a function called mysql_real_esca pe_string() or
some silly name like that. (For other databases, addslashes() will
normally suffice.) Run any user input through that before inserting/
updating it into your database.

For output, pass everything through htmlentities() to make sure it is
"safe" to appear. For example, what happens if a photo description
consists of:

<big><strong><f ont color=red>Hello !!!

This isn't necessarily a malicious user -- just someone who wanted to type
a big, bold, red greeting to the world but forgot to close their tags.
Imagine what a malicious user could do (e.g. run javascript off your site).

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

**howa** · Dec 19 '06, 01:45 PM

Re: SQL injection and PHP spoofing

3: if so, what is the best practices to protect my database/site ?

>

Two simple rules to prevent SQL injection (MySQL)

1. if the input data is string, escape the quote

e.g.

this is "dsds =this is \"dsds

2. if the input data is integer, make sure it is really integer and
never contains characters

e.g. i = intval(i); // force integer

**Jerry Stuckle** · Dec 19 '06, 02:05 PM

Re: SQL injection and PHP spoofing

howa wrote:

>>3: if so, what is the best practices to protect my database/site ?
>>

>
>
>
Two simple rules to prevent SQL injection (MySQL)
>
1. if the input data is string, escape the quote
>
e.g.
>
this is "dsds =this is \"dsds
>

Which does not work with all character sets. Better is to use
mysql_real_esca pe_string().

2. if the input data is integer, make sure it is really integer and
never contains characters
>
e.g. i = intval(i); // force integer
>

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**seaside** · Dec 19 '06, 03:45 PM

Re: SQL injection and PHP spoofing

bill schrieb:

1: Do I need to worry about SQL injection if I do not process the
incoming free form data ?
>
2: Do I need to worry about PHP statements being embedded in the
free form data ?
>
3: if so, what is the best practices to protect my database/site ?

Post an email to me and I'll forward a small wrapper class, which
protects against this problem.

**bill** · Dec 19 '06, 04:05 PM

Re: SQL injection and PHP spoofing

>

>3: if so, what is the best practices to protect my database/site ?

>
Make it ugly so no one will use it :-D
>
>
>

good idea, but I think I will not try for this - might get there
anyway.

bill

**bill** · Dec 19 '06, 04:15 PM

Re: SQL injection and PHP spoofing

Erwin Moller wrote:

bill wrote:
>

>MySQL newbie, not new to computing.
>>
>In my application I accept photos and data, some structured and
>some free text. I store the information (but not the images) in a
>MySQL database and then from that information I construct a web
>page for the user.
>>
>The images are always displayed within an <img tag.
>>
>The text is displayed as part of the web page, within <ptags.
>>
>The users are all registered and (more or less) trusted individuals
>>
><paranoid mode on>
>>
>1: Do I need to worry about SQL injection if I do not process the
>incoming free form data ?

>
Why do you let the visitor fill in data if you do not process it?

I guess I should be more clear. I save the data in a mysql
database and then paste it into a generated web page. By process
I meant mysql_real_esca pe_string() (about which I did not know)

bill

**bill** · Dec 19 '06, 04:25 PM

Re: SQL injection and PHP spoofing

bill wrote:

MySQL newbie, not new to computing.
>
In my application I accept photos and data, some structured and some
free text. I store the information (but not the images) in a MySQL
database and then from that information I construct a web page for the
user.
>
The images are always displayed within an <img tag.
>
The text is displayed as part of the web page, within <ptags.
>
The users are all registered and (more or less) trusted individuals
>
<paranoid mode on>
>
1: Do I need to worry about SQL injection if I do not process the
incoming free form data ?
>
2: Do I need to worry about PHP statements being embedded in the free
form data ?
>
3: if so, what is the best practices to protect my database/site ?
>
<paranoid mode off>
>

thanks all for the suggestions.

As I never use user input to a query string, just data, and the
images are not accessible except inside of <img tags it would
seem that I am moderately safe.

bill

**Rafe Culpin** · Dec 19 '06, 05:25 PM

Re: SQL injection and PHP spoofing

In article <nbydnaYXfJ8wkB XYnZ2dnUVZ_qfin Z2d@cablespeedm i.com>,
nobody@spamcop. net (bill) wrote:

1: Do I need to worry about SQL injection if I do not process the
incoming free form data ?

Why do you let the visitor fill in data if you do not process it?

>
I guess I should be more clear. I save the data in a mysql
database

In that case an injection attack might well be possible and must be
guarded against. The text passed to the database might include a string to
say "That's the end of the data to be stored, and now here's the command
to delete the database".

--
To reply email rafe, at the address cix co uk

**bill** · Dec 19 '06, 06:55 PM

Re: SQL injection and PHP spoofing

Rafe Culpin wrote:

In article <nbydnaYXfJ8wkB XYnZ2dnUVZ_qfin Z2d@cablespeedm i.com>,
nobody@spamcop. net (bill) wrote:
>

>>>1: Do I need to worry about SQL injection if I do not process the
>>>incoming free form data ?
>>Why do you let the visitor fill in data if you do not process it?

>I guess I should be more clear. I save the data in a mysql
>database

>
In that case an injection attack might well be possible and must be
guarded against. The text passed to the database might include a string to
say "That's the end of the data to be stored, and now here's the command
to delete the database".
>

Ok, thank you.
I will sanitize the data.
bill

**Sandman** · Dec 20 '06, 08:35 AM

Re: SQL injection and PHP spoofing

In article <nbydnacXfJ-lkBXYnZ2dnUVZ_q emnZ2d@cablespe edmi.com>,
bill <nobody@spamcop .netwrote:

3: if so, what is the best practices to protect my database/site ?

Make it ugly so no one will use it :-D

>
good idea, but I think I will not try for this - might get there
anyway.
>
bill

:)

--
Sandman[.net]

SQL injection and PHP spoofing

SQL injection and PHP spoofing

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment