Block SQL Injection Attacks

[jend91]

Hey Guys,

 

Hope you are all having a great day

 

I was hoping somebody could help me with preventing my blog from being attacked by SQL Injection. I made a simple blog in using PHP and MySQL but I keep getting spam comments (even though I use re-captcha) and some files were overwritten on my web server. For all my input I use mysql_real_escape_string but I still get the problem.

 

I found a video on youtube that showed how to enter stuff on the address bar like "order by 2--" and "union all select...." after passing a variable etc, and all of the things in the video could be replicated on my site   I am guessing that is my problem, but the video did not tell me how to resolve the issue and I am sick of having to delete hundreds of spam comments per day and check my web server for uploaded files.

 

How can I stop people adding these commands to the address bar and getting data from my database?  I really need your help :'(

 

Thanx,

 

Jen

[MasterACE14]

I made a simple blog in using PHP and MySQL

could we see some code? Primarily your database code whether it be a class, or functions.

[PFMaBiSmAd]

mysql_real_escape_string only escapes string data being put into a query. It does nothing to protect against sql injection in numeral data.

 

For numerical data, you need to either validate that it is only a number or more simply case it as a number.

[watsmyname]

The function i created, i often use in my project is

 

<?php
function sanitize($var,$sanitize='1')
{
   //sanitizing
   $var = str_replace("\\","",$var);
    if($sanitize=='1')
   {
	   if(function_exists("filter_var"))
	   {
		   $returnvar=filter_var($var, FILTER_SANITIZE_STRING);

	   }else{
		   $returnvar=$var;
	   }
   }else{
	  $returnvar=$var;
   }
   if(!get_magic_quotes_gpc()){
	   $returnvar=addslashes($returnvar);
   }
   //using mysql reql escape string
   if(function_exists("mysql_real_escape_string"))
   {
	   $returnvarfinal=mysql_real_escape_string($returnvar);
   }else{
	   $returnvarfinal=addslashes($returnvar);
   }
  
  // return $returnvarfinal;
   return $returnvar;
} ?>

 

In your submit page, you use like this.

 

$var=sanitize($_POST["somevariable"]);

 

But limitation of this function is that your server should have php v5 installed and filter_var function must be enabled. But for numeral data you need to validate that the source contains numeric value only.

 

Hope this will give you some idea

[jend91]

Hey,

 

Thanks for the replies.  On my homepage, I show the blog article.  Each article title is a link to a comments page where people can post comments and see comments left by others.  The link I use on the homepage is:

echo '<a href="blogarticle.php?aID='.$aID.'"><h1>'.$row['articletitle'].'</h1></a>

 

When I click this link I go to the comments page the url looks like: http://www.mysite.com/blogarticle.php?aID=25

 

Somebody can modify this to be http://www.mysite.com/blogarticle.php?aID=25 order by 2-- and it will return a value.  Then there is all the other stuff like union all select 1,2,3,4-- etc that is also allowed

 

On my comments page, I am using this line to grab the value:

$aID = mysql_real_escape_string($_GET['aID']);

 

I tried to use the function on my localhost but it did not work.  I am running wamp server with PHP version 5.3.  I am not sure how to check if the filter_var is enabled though?

 

Thanx,

 

Jen

[Buddski]

As PFMaBiSmAd said, you will need to validate your $aID variable correctly, how you do that is up to you..

There are many PHP functions that can assist you.. http://au.php.net/manual/en/ref.var.php

Or again as PFMaBiSmAd suggested, cast the input as an integer.

[jend91]

Hey guys,

 

I have added an if statement that says if it is not numeric (!is_numeric) then redirect to the homepage using the header function, else grab the value.  I have tested and it seems to be working so will see if I am getting any more spam over the next couple of days.

 

Thanks for your help,

 

Jen