Results 1 to 7 of 7
  1. #1
    Join Date
    Sep 2002
    Location
    Kyiv, Ukraine
    Posts
    77

    Question Unanswered: preventing SQL injection attacks

    Any info on the subject of preventing SQL injection attacks will be much appreciated - removing escape characters, etc. Which functions should I use and how? Any good articles, forum threads around the net about this?

    TIA.
    Yours faithfully,
    Yaroslav Zaremba

  2. #2
    Join Date
    Feb 2001
    Location
    NC, USA
    Posts
    200
    I can't help with the code, but an extra layer you could use is mod_security at http://www.webkreator.com/mod_security/ It includes protection for many of the more common attacks, including simple SQL injection.

    This is assuming you use Apache as your web server.

  3. #3
    Join Date
    Dec 2002
    Posts
    65
    Here you go:
    http://www.owasp.org/guide/
    There is a pretty good PDF about web application security as a whole and they go into different types of attacks including SQL injection.

    -b
    (I'm only available at the email address provided in my profile on weekdays, if you have questions or advice, during off hours use AIM). Also any views I provide here or on my website are mine and not representative of any views of my work, family, friends and sometimes even myself.

    http://www.bcyde.com

  4. #4
    Join Date
    Sep 2002
    Location
    Kyiv, Ukraine
    Posts
    77
    Regarding mod_security: I'm using standard UNIX web hosting and do not have ability to install mods on my hoster's Apache webserver ...

    And about "OWASP Guide" - I've already downloaded it. Fantastic work! but it's quite big to read it fast , I promise I'll surely do this but later ... I need just few tips/advices what functions should I look into to keep my data coming from the HTML forms to script with SQL query as safe as possible for database/site/etc ...
    Yours faithfully,
    Yaroslav Zaremba

  5. #5
    Join Date
    Dec 2002
    Posts
    65
    Quick answer - make sure to always validate your input. If you know the data type of the form vars you can always make sure to cast them to the data type that you expect them to be. When taking direct text input make sure to use addslashes. You can try filtering out other things as well like --, ;, ', " but it all comes down to the data you're expecting. But for a better answer just skip to SQL injection in the OWASP guide.

    -b
    (I'm only available at the email address provided in my profile on weekdays, if you have questions or advice, during off hours use AIM). Also any views I provide here or on my website are mine and not representative of any views of my work, family, friends and sometimes even myself.

    http://www.bcyde.com

  6. #6
    Join Date
    Sep 2002
    Location
    Kyiv, Ukraine
    Posts
    77
    If 'magic_quotes_gpc' turned to 'ON' what else will I need in my programm code to protect MySQL queries that use data from INPUT boxes?.. Seems to me those cuty magic quotes serve well for that purpose on 100%!.. Maybe I am not seeing something?
    Yours faithfully,
    Yaroslav Zaremba

  7. #7
    Join Date
    Sep 2002
    Location
    Kyiv, Ukraine
    Posts
    77
    Got one!
    htmlentities() - that the one not to spoil my output pages with tags like </HTML> or <H1> in the input boxes!

    Anything else to do on the string which got from $_POST/$_GET ?
    Yours faithfully,
    Yaroslav Zaremba

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •