Originally posted by Toly
So what you are trying to say is that i should use two single quoates rather than one to avoid commands to execute?
no, what he is saying is to feed all the data you’re gathering from the form through some kind of procedure that will replace all single quotes with double single quotes. here is a simple one for ASP/VBScript (i’m sure you have something equivalent in PHP):
Function fixQuotes(theString)
fixQuotes = Replace(theString, "'", "''")
End Function
“default deny regular experssion” from the SPI dynamics solutions section.
Does that mean to select a set amount of characters so your ‘user input’ (whatever it might be) will be removed of any qutoes or other symbols that you dont want?
I was wondering if this solution will work. (I am sure someone has thought of it already and it might sound really dumb since I am a newbie) Let’s say you have an admin page for your webmaster to log into to perform multiple sql tasks. Of course, general users and the public doesnt need to enter the page. Therefore, instead of just using sql injection prevention methods, cant you limit access to certain IP addresses. I am aware some ISP give dynamic IPs, but for some ADSL/DSL companies you get a static ip. I read some where you can log the users ip using php. All that has to be done is to store the static ip (the computer that the admin uses) somewhere safe. Everytime someone tries to go to the admin page, their ip will be matched against the stored one. If its different, automatic redirect so the no input can even take place.
I dont know if that works, I just thought of it out of the blue in light of reading this article. Don’t laugh if its super stupid, I am new to coding security and all. Tell me if it works.
Spaz
It’s not a stupid suggestion at all - it is indeed possible to restrict access to something by (virtually) any criteria, and a system such as that which you suggest could indeed be implemented if desired.
However, in practice, I don’t think that it would be a good idea at all, since one of the best features of any remote admin system is the ability to log on from anywhere and fix/alter something, but if you’ve restricted admin access to only a single IP, then you’re screwed if you’re located anywhere else when you need to make the change!!
Hence locking down admin access to only a single PC or IP address is not a good idea for that reason alone (and I’m sure that there are plenty of others).
True… It will be a big problem if the admin doesnt have a static ip. Come to think of it, most of the time admins might need to change stuff when away from the office.
Another question:
After reading some of the articles in this post, it makes me think hard to prevent sql injection attacks.
If I am remember correctly, the “Dynamic something (I forgot the second part of the company name. I just know its one of the first articles posted)” said its simply not enough by removing single quotes, backslashes and all. So what else can we do?
By removing all the possible symbols needed for “fooling” the code, how can the attacks take place?
There are many suggestions to actually limit or set a range of characters or values to be used. Something like (according to my memory):
[a-z], [A-Z], [0-9]
Won’t that be limiting if a user requires " ’ " in their search?
Spaz
i think you would have to evaluate what data you are getting. if it is only supposed to be numeric, strip everything except numerals (use regular expressions). <snip/>
Thanks for the link bbolte, I read that one already (I think it was a link in previous posts). That article mainly covers ASP. Of course, its still good to know if I need to use ASP in other projects. But as of now, I am looking for PHP resources. I have found some like the articles and posts that Dr. Pepper and HarryF has made.
ex. magic quotes are a NO NO
so I use the addslashes()
and the ereg_replace( ) to replace any suspicious characters.
I hope I am using the right tools…
Spaz
I’ll feel really stupid if anyone has already answered this and I somehow didn’t realize it, but are there any handy PHP equivilents to the ASP functions all those aritcles seem to be using? Such as one that replaces the ’ with ‘’. Also is there an easy way to see if there are certain characters in the userinput that we might want to keep out? I’m new to this–please, don’t yell at me. :bawling:
Here’s another ASP-orientated one, although as ever, the same principles apply to all development platforms…
And another, specifically on using MSSQL stored procedures to avoid injection attacks:
Cold Fusion has protection against this by using <CFQUERYPARAM…> to ensure that the data meets the requirements. You can <CFTRY> and catch the error. It can mean the end of your data if someone sents in a delete command as an ID.
I’m using php/mySQL.
I have a site that has no accounts, and no way for a user to (legally) write to the database, which only lets the user query a database
Simple Q: Can php/mysql write priveledges be set so that there is no way for injections to alter the database? (ie the only way to alter the db is to log into the host account and use phpAdmin).
Hot off the presses (so hot, it’s dated september, but it’s only August the 20th):
MSDN: Stop SQL Injection Attacks Before They Stop You
go stored procedure
that is one thing that keeps me off mySQL and PHP to a certain extent
you have to be very aware of security issues here
when mySQL present something akin to stored procedures I will jump in
If you use parameters in your query, than there is no chance to make SQL Injection. You can also use LINQ.
10 seconds of lame singing to find the back button
cute idea, though
Setup and execute all queries as stored procedures. The way SQL parameters are passed prevents the use of apostrophes and hyphens in a way that would allow an injection attack to occur. In addition, it allows database permissions to be restricted to only allow specific procedures to be executed. All user input must then fit into the context of the procedure being called and it is less likely an injection attack could occur.
If possible, use HereDoc or NowDoc, which escapes input strings.
When the input string is escaped a query won’t look like
SELECT *
FROM users
WHERE username=‘admin’; – ’
AND password = …
(username=‘admin’ and the rest is a cooment.)
NowDoc, will make it:
SELECT *
FROM users
WHERE username=‘admin\’;–’ …
you might want to explain which language(s) these are available in