SQL Injections

Hitman · 24-11-2007, 04:18 PM

Hey!

I'm not good with security (lol), what do I need to do to secure my forums that put data into sql databases?

To stop sql injections, html etc?

Can somebody find me a tut or write the code with where it goes? I've used google, no use. I had it before, but the link is dead.

MrCraig · 24-11-2007, 04:24 PM

Originally Posted by Hitman

Hey!

I'm not good with security (lol), what do I need to do to secure my forums that put data into sql databases?

To stop sql injections, html etc?

Can somebody find me a tut or write the code with where it goes? I've used google, no use. I had it before, but the link is dead.

Use a cleaning function

PHP Code:


<? 
function clean($str)
{
$cl = strip_tags(addslashes(stripslashes(htmlspecialchars($str))));
return $cl;
}

Then use the cleaning string when declaring vars.

eg

$v1 = clean($_GET[v1]);

Hitman · 24-11-2007, 04:43 PM

Thanks!

lolwut · 24-11-2007, 04:53 PM

mysql_real_escape_string() is the best thing to help you with this, but make sure you're connected to a database first or it won't work.
I.e:

PHP Code:


include something.php;
$var = $_POST['var'];
$newvar = mysql_real_escape_string($var);

MrCraig · 24-11-2007, 05:03 PM

Dont mean to sound stupid, but what does mysql_real_escape_string do anyways ?

Like does it filter out commands or something?

Florx · 24-11-2007, 06:20 PM

http://us.php.net/mysql_real_escape_string

Beau · 24-11-2007, 09:37 PM

I'd suggest using sprintf as well:

PHP Code:


$query = sprintf("SELECT * FROM users WHERE username='%s'", mysql_real_escape_string($_POST['username']);
$query = mysql_query($query);

That tells PHP beforehand what the string should look like, thus preventing injections somewhat.

Also, don't throw strip_tags, htmlspecialchars and mysql_real_escape_string into the one clean function. Make two; one for sanitizing and one for returning. Sanitizing will apply to all data going into the database (just need mysql_real_escape_string), and returning for data being echoed back to the user (htmlspecialchars imo, no need to strip the tags, just display everything back). You'll find yourself using a load of server resources if you echo everything back using mysql_real_escape_string.

Hitman · 24-11-2007, 11:13 PM

Originally Posted by Beau

I'd suggest using sprintf as well:

PHP Code:


$query = sprintf("SELECT * FROM users WHERE username='%s'", mysql_real_escape_string($_POST['username']);
$query = mysql_query($query);

That tells PHP beforehand what the string should look like, thus preventing injections somewhat.

Also, don't throw strip_tags, htmlspecialchars and mysql_real_escape_string into the one clean function. Make two; one for sanitizing and one for returning. Sanitizing will apply to all data going into the database (just need mysql_real_escape_string), and returning for data being echoed back to the user (htmlspecialchars imo, no need to strip the tags, just display everything back). You'll find yourself using a load of server resources if you echo everything back using mysql_real_escape_string.

OK, so for everything put the mysql_real_escape_string, for things like signature etc put the htmlspecialchars (so no redirections etc).

Beau · 24-11-2007, 11:26 PM

Originally Posted by Hitman

OK, so for everything put the mysql_real_escape_string, for things like signature etc put the htmlspecialchars (so no redirections etc).

Pretty much. Thing is, you mightn't want to remove HTML from certain things, like news posts and stuff. That's why you don't want it all in the same function

Hitman · 24-11-2007, 11:32 PM

Originally Posted by Beau

Pretty much. Thing is, you mightn't want to remove HTML from certain things, like news posts and stuff. That's why you don't want it all in the same function

You're 2 steps ahead of me.

Thread: SQL Injections

Thread Tools

SQL Injections

Posting Permissions