Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Securing your PHP script Part 1 [SQL Injection]
#1
SQL Injection happen when a certain query allows a user to escape the string and Add to the original query. To manipulate how it works

For easy reading SQL Query will be red and Text will be blue

Ok so here is our login script:

Please note the same applies nomatter if you use ".$variable." or {$variable}
Quote:<?php
$db->connect();

$pass = $_POST['pass'];

$query = mysql_query("SELECT * FROM users WHERE pass={$pass}";
if (mysql_num_rows($query) > 0)
{
echo "welcome user";
}
?>

This will simply log them in if the posted password is right. Example of the SQL Query is:
Quote:SELECT * FROM users WHERE password='1234'

But now if the user enters their password as 1234 OR 1=1 the query looks like this:
Quote:SELECT * FROM users WHERE password='1234' OR 1=1

This now will log him in if either the password is right or 1=1 and as 1 will always equal 1 it will log him in regardless of if the pass is right or not.

So this is how we protect from that:
Quote:<?php
$db->connect();

$pass = $_POST['pass'];

$query = mysql_query("SELECT * FROM users WHERE pass='{$pass}'";
if (mysql_num_rows($query) > 0)
{
echo "welcome user";
}
?>
//if you use ".$var." you must add apostrophes too so pass='".$var."'

The ' toggles between text and query so now the variable will be run as text. So now where the user enter 1234 OR 1=1 the query looks like this:
Quote:SELECT * FROM users WHERE password='1234 OR 1=1'

Now it only checks if the user password is "1234 OR 1=1" Which it won't be.

But our user can still bypass this by escaping the text string back into the query. All he needs to do is change his password to 1234' OR 1='1

Now our query is back to checking if his password is right or if 1=1 which it does.
Quote:SELECT * FROM users WHERE password='1234' OR 1='1'

This is a little harder to stop, We are best to write a function to stop the user using ' or ". So here's the function:
Quote:function sanitize($sanitize)
{
if ((get_magic_<REMOVE ME>quotes_gpc()) //Some plugins will try to do what we are about to do so let's undo it to prevent errors if they are installed
{
$sanitize = stripslashes($sanitize); //Remove the slashes that magic quotes may have added
}
if (!is_numeric($sanitize)) //Make sure the string is not a number we don't need to modify numbers as they cant contain " or '
{
$sanitize = mysql_real_escape_string($sanitize); //Will escape ' and "
}
return $sanitize;
}

Now our code will look like this:
Quote:<?php
function sanitize($sanitize)
{
if (get_magic_<REMOVE ME>quotes_gpc())
{
$sanitize = stripslashes($sanitize);
}
if (!is_numeric($sanitize))
{
$sanitize = mysql_real_escape_string($sanitize);
}
return $sanitize;
}
$db->connect();

$pass = $sanitize($_POST['pass']);//Put password trough our sanitizer

$query = mysql_query("SELECT * FROM users WHERE pass='{$pass}'";
if (mysql_num_rows($query) > 0)
{
echo "welcome user";
}
?>

if the user enters password as 1234' OR 1='1 the query will look like:
Quote:SELECT * FROM users WHERE password='1234\' OR 1=\'1'
Now it only checks if the password is 1234\' OR 1=\'1 and doesn't check if 1=1

How mysql_real_escape_string works is a " or ' can be neutralized with a \ so \' and \" will do nothing.

That's the end of my tutorial, Some things to remember are: Sanitize cookies and selectboxes both can be modified to allow SQL injection regardless of what you set them as, none of the methods in this tutorial will prevent the usage of % and _ in LIKE statements you will need to write something for that and remember this is not a tutorial on how to SQL Inject, I have left some deliberate errors in the examples to prevent use of it for thatNono.

Also due to a security plugin no this site if you see <REMOVE ME> in the code Remove it INCLUDING the < and >
Need website or forum help?
[Image: logo.png]
Reply
#2
The colors are really hard to look at. Nonetheless, very very helpful. Bookmarked.
Aut viam inveniam aut faciam.

Reply
#3
(06-07-2011, 10:38 PM)Cybr Wrote: The colors are really hard to look at. Nonetheless, very very helpful. Bookmarked.

I just tried to follow the colours that MyBB's PHP Syntax highlighter uses but I guess they don't go well on a grey background.
Need website or forum help?
[Image: logo.png]
Reply
#4
(06-07-2011, 10:54 PM)0xE9 Wrote: I just tried to follow the colours that MyBB's PHP Syntax highlighter uses but I guess they don't go well on a grey background.

Yeah, darker colors go better with a light background, and vice versa.
Aut viam inveniam aut faciam.

Reply
#5
Ok, I'll update the colours to lighter ones in a bit.
Need website or forum help?
[Image: logo.png]
Reply
#6
Very dark bro :/
Reply
#7
Ok guys are these colors better?
Need website or forum help?
[Image: logo.png]
Reply
#8
bump!
Need website or forum help?
[Image: logo.png]
Reply
#9
very very nice man thanks for this ill make sure people see this
Reply
#10
(06-11-2011, 10:11 AM)Ted Bundy Wrote: very very nice man thanks for this ill make sure people see this
Thanks man Smile
Need website or forum help?
[Image: logo.png]
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Securing Web Applications Gaijin 13 6,883 07-19-2013, 08:52 AM
Last Post: Paradoxmoney
  SQL Query help (vbulletin) DAMINK™ 2 1,229 02-25-2012, 07:27 PM
Last Post: DAMINK™
  SQL help DAMINK™ 8 2,118 12-07-2010, 05:29 PM
Last Post: Solidus
  [PHP] - PHP White Paper --([-S7N-])-- 1 1,062 04-13-2010, 09:42 PM
Last Post: SLiM
  Guys need Help! Installing PHP Script BO0GEYMAN 6 1,889 04-07-2010, 09:14 AM
Last Post: Kewlz

Forum Jump:


Users browsing this thread: 3 Guest(s)