Board index   FAQ   Search  
Register  Login
Board index php forum :: PHP and MySQL Security PHP & MySQL Security

Preventing attacks when you cannot filter data

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

Preventing attacks when you cannot filter data

Postby victor123 » Sun Apr 03, 2005 10:12 am

Have read the sticky posts, i am developing a site in php+mysql. Because the characteristics of the fields i am dealing with, it is not possible filtering them, so that another type of approach must be used.
I read the example of bound parametes. Unfortunately, it is perl, not php. Could somebody give me some clues at how to prevent attacks when the fields in the form cannot be filtered?
Many thanks in advance.
Cheers.
victor123
New php-forum User
New php-forum User
 
Posts: 192
Joined: Mon Sep 06, 2004 1:23 am
Location: Madrid, Spain

Postby nickk » Wed May 04, 2005 1:00 pm

Hmm I am interested to hear as to why you cannot filter them, what kind of field is this? More info could help us solve your problem
nickk
New php-forum User
New php-forum User
 
Posts: 36
Joined: Sat Nov 29, 2003 6:57 am

Postby victor123 » Sun May 08, 2005 3:47 am

Hi,

With filtering i refer to the following:

Many fields in a form (e.g. phone) contain only certain characters, so that you can check whether the fields you receive are correct or not (a first check in client and a security check in server). Thus, in the server side i filter all fields checking their validity.

The problem is that some fields cannot be checked because you have to allow all characters. These fields are a threat because anyone can insert sql code. At this moment, the only solution i have come up with is checking these fields for occurences of certain sql words (such as insert, delete, select, drop and so on). I believe this is not very efficient, and that was the reason of my posting.

Thanks a lot.
victor123
New php-forum User
New php-forum User
 
Posts: 192
Joined: Mon Sep 06, 2004 1:23 am
Location: Madrid, Spain

Postby nickk » Sun May 08, 2005 5:10 am

If I understand correctly, you have input fields, which are used in sql queries. If this is the case, (and you are using mysql) there is a function, addslashes() that adds a / infront of all characters that could cause a sql injection. the / escapes the character infront of it so mysql does not parse it. when you are retreiving the data that you did addslashes on, you use the function stripslashes to remove these /
nickk
New php-forum User
New php-forum User
 
Posts: 36
Joined: Sat Nov 29, 2003 6:57 am

Postby Alexej Kubarev » Sun May 08, 2005 5:14 am

well... the problem can be fixed by simply adding slashes (addslashes() or addcslashes()) to the user data and enclosing everything with ´

This will give you the security you need..

the query would look like this:
Code: Select all
<?php $sql = "SELECT * FROM table WHERE field_name= ´".addslashes($_POST['field_name_or_something'])."´"; ?>
User avatar
Alexej Kubarev
Site Admin
Site Admin
 
Posts: 2223
Joined: Fri Mar 05, 2004 7:15 am
Location: Täby, Stockholms län

Postby Alexej Kubarev » Sun May 08, 2005 5:15 am

nickk is almost right..it actually adds / infront of every single/double quote
User avatar
Alexej Kubarev
Site Admin
Site Admin
 
Posts: 2223
Joined: Fri Mar 05, 2004 7:15 am
Location: Täby, Stockholms län

Postby victor123 » Mon May 09, 2005 1:10 am

All right, many thanks to you both. Is it more convenient to use addslashes or mysql_escape_string?

Thanks again.
victor123
New php-forum User
New php-forum User
 
Posts: 192
Joined: Mon Sep 06, 2004 1:23 am
Location: Madrid, Spain

Postby Alexej Kubarev » Mon May 09, 2005 5:28 am

hmmz... i would say adding slashes... but that however is more up to you...
adding slashes will make it a bit more portable in my opinion
User avatar
Alexej Kubarev
Site Admin
Site Admin
 
Posts: 2223
Joined: Fri Mar 05, 2004 7:15 am
Location: Täby, Stockholms län

Postby bezmond » Mon May 09, 2005 6:04 am

Also try using the strip_tags() function - I find this very useful for removing unwanted HTML tags (I don't want links or bold being posted!)

Andrew
User avatar
bezmond
Moderator
Moderator
 
Posts: 312
Joined: Sat Apr 05, 2003 4:33 am
Location: Mansfield, UK


Return to PHP & MySQL Security

Who is online

Users browsing this forum: No registered users and 0 guests

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.

cron