Preventing attacks when you cannot filter data

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

victor123
New php-forum User
New php-forum User
Posts: 192
Joined: Mon Sep 06, 2004 1:23 am
Location: Madrid, Spain

Preventing attacks when you cannot filter data

Postby victor123 » Sun Apr 03, 2005 10:12 am

Have read the sticky posts, i am developing a site in php+mysql. Because the characteristics of the fields i am dealing with, it is not possible filtering them, so that another type of approach must be used.
I read the example of bound parametes. Unfortunately, it is perl, not php. Could somebody give me some clues at how to prevent attacks when the fields in the form cannot be filtered?
Many thanks in advance.
Cheers.

nickk
New php-forum User
New php-forum User
Posts: 36
Joined: Sat Nov 29, 2003 6:57 am

Postby nickk » Wed May 04, 2005 1:00 pm

Hmm I am interested to hear as to why you cannot filter them, what kind of field is this? More info could help us solve your problem

victor123
New php-forum User
New php-forum User
Posts: 192
Joined: Mon Sep 06, 2004 1:23 am
Location: Madrid, Spain

Postby victor123 » Sun May 08, 2005 3:47 am

Hi,

With filtering i refer to the following:

Many fields in a form (e.g. phone) contain only certain characters, so that you can check whether the fields you receive are correct or not (a first check in client and a security check in server). Thus, in the server side i filter all fields checking their validity.

The problem is that some fields cannot be checked because you have to allow all characters. These fields are a threat because anyone can insert sql code. At this moment, the only solution i have come up with is checking these fields for occurences of certain sql words (such as insert, delete, select, drop and so on). I believe this is not very efficient, and that was the reason of my posting.

Thanks a lot.

nickk
New php-forum User
New php-forum User
Posts: 36
Joined: Sat Nov 29, 2003 6:57 am

Postby nickk » Sun May 08, 2005 5:10 am

If I understand correctly, you have input fields, which are used in sql queries. If this is the case, (and you are using mysql) there is a function, addslashes() that adds a / infront of all characters that could cause a sql injection. the / escapes the character infront of it so mysql does not parse it. when you are retreiving the data that you did addslashes on, you use the function stripslashes to remove these /

User avatar
Alexej Kubarev
Site Admin
Site Admin
Posts: 2223
Joined: Fri Mar 05, 2004 7:15 am
Location: Täby, Stockholms län
Contact:

Postby Alexej Kubarev » Sun May 08, 2005 5:14 am

well... the problem can be fixed by simply adding slashes (addslashes() or addcslashes()) to the user data and enclosing everything with ´

This will give you the security you need..

the query would look like this:

Code: Select all

<?php $sql = "SELECT * FROM table WHERE field_name= ´".addslashes($_POST['field_name_or_something'])."´"; ?>

User avatar
Alexej Kubarev
Site Admin
Site Admin
Posts: 2223
Joined: Fri Mar 05, 2004 7:15 am
Location: Täby, Stockholms län
Contact:

Postby Alexej Kubarev » Sun May 08, 2005 5:15 am

nickk is almost right..it actually adds / infront of every single/double quote

victor123
New php-forum User
New php-forum User
Posts: 192
Joined: Mon Sep 06, 2004 1:23 am
Location: Madrid, Spain

Postby victor123 » Mon May 09, 2005 1:10 am

All right, many thanks to you both. Is it more convenient to use addslashes or mysql_escape_string?

Thanks again.

User avatar
Alexej Kubarev
Site Admin
Site Admin
Posts: 2223
Joined: Fri Mar 05, 2004 7:15 am
Location: Täby, Stockholms län
Contact:

Postby Alexej Kubarev » Mon May 09, 2005 5:28 am

hmmz... i would say adding slashes... but that however is more up to you...
adding slashes will make it a bit more portable in my opinion

User avatar
bezmond
Moderator
Moderator
Posts: 312
Joined: Sat Apr 05, 2003 4:33 am
Location: Mansfield, UK
Contact:

Postby bezmond » Mon May 09, 2005 6:04 am

Also try using the strip_tags() function - I find this very useful for removing unwanted HTML tags (I don't want links or bold being posted!)

Andrew


Return to “PHP & MySQL Security”

Who is online

Users browsing this forum: No registered users and 1 guest