Re: ASP/PHP SQL Injection

[Andrew Kane <codemaster () quantumraiders com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've seen the best way to counter injections (in PHP) is to use the
mysql_real_escape_string (see:
http://www.php.net/mysql_real_escape_string). This way, any data
inserted will become a 'safe string' and therefore will not take control
of your query.

For an example, by using your example, a user inputs "; DROP DATABASE
`test`;" as the input variable. the first semi-colon will make it
attempt to query everything up until that spot (which will error), it
will then run the DROP DATABASE command which might work if you have a
test database (thus, destroying your database) and then finally,
continuing with the code afterwards, which will error as well.

Basically, protecting yourself from a SQL injection is a MUST if you
accept any input!

coder wrote:
> Hi all,
>
> I have been reading quite a bit into SQL injections and I just wondered if
> my thinking is correct:
>
> If one has the ASP or PHP source code for a site, they would just look for-
>
> (written in a pseudo-ish code as I assume the same principles exist for ASP
> and PHP)
>
> $variable = get_value_from_url('variable')  // ie blah.asp?variable="hello"
>
> SQL = "SOME SQL" & $variable & "SOME MORE SQL"
> or
> <executing object (i.e. rs.open)> "SOME SQL" & $variable & "SOME MORE SQL"
>
> When looking for potential SQL Injection attacks, its one of the 2 SQL lines
> one would look for... is that correct? And to stop SQL Injection attacks,
> one only has to "sanitise" the variable with CLng()  in the case of numeric
> fields and in the case of alphanumeric fields a built-in PHP/ASP/MySQL
> function can be used.
>
> Also, assuming my thinking above is correct, what does one look for when
> checking for possible XSS attack?
>
> Thanks for your input,
>
> Davie Elliott
>
>
>
> ---------------------------------------------------------------------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic Excellence 
> in Information Security. Our program offers unparalleled Infosec management 
> education and the case study affords you unmatched consulting experience. 
> Using interactive e-Learning technology, you can earn this esteemed degree, 
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)

iD8DBQFE9yB/Cggt9XTPwUwRAifFAJ9LUEz5DY9MM3KFyKSR/hGRxh6b0gCgitO1
LjCEFRZp5B56FWJO1KMOyfw=
=jYlU
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------