SitePoint Sponsor

User Tag List

Results 1 to 5 of 5

Thread: Sql Injection

  1. #1
    SitePoint Enthusiast
    Join Date
    Aug 2004
    Location
    Memphis
    Posts
    30
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Sql Injection

    Hi there !

    Can anyone show some light how one can reduce the sql injection attacks ? What code needs to be modified so that we can get rid of this kind attacks ? And also, is it possible to track the attacker ?

    Any suggestion is most welcome.

    With Thanks !
    Newkid !

  2. #2
    SitePoint Zealot Overunner's Avatar
    Join Date
    Mar 2004
    Location
    Sweden
    Posts
    180
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Simply apply the function 'addslashes' to your $_GET/$_POST-variables you are going to use in your database query (don't rely on magic_quotes being on...in fact it should be off ) I think it is also possible to protect yourself against SQL-injections by adding single-quotes to the variables(?) but I'm absolutely not sure.

    And yes, it is possible to track the attacker by reading the log-file your webserver generates. This can however be tricky depending on how well the hacker has masquaraded his/her IP by proxies (or chains of proxies).

  3. #3
    Employed Again Viflux's Avatar
    Join Date
    May 2003
    Location
    London, On.
    Posts
    1,127
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Read this thread for starters...

    http://www.sitepoint.com/forums/showthread.php?t=54074

    There are some good pointers in there about how to prevent such attacks, as well as some other good tips.

    I'm sure a forum search will reveal more info.


    The key to preventing SQL Injection Attacks is to validate any and all user input, BEFORE attempting to perform an SQL query with it. Part of this includes making appropriate use of the addslashes() function, but you'll probably also want to strip out unwanted characters, tags, or other items.

    Basically, if you follow good programming habits (validate input, declare variables, prepare SQL data, etc...), you are severely limiting the possibility of any kind of SQL Injection attack.

    As for tracking the attacker, it is indeed very possible. You can do this through either your web server logs, or some kind of stat-tracking program.

  4. #4
    SitePoint Guru
    Join Date
    Jul 2004
    Location
    Raleigh, NC
    Posts
    783
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i found a great whitepaper on the subject. i posted a link to it on this thread: http://www.sitepoint.com/forums/showthread.php?t=191434

  5. #5
    SitePoint Enthusiast
    Join Date
    Aug 2004
    Location
    around
    Posts
    72
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    any abstraction layer with prepared statements will go a long way to stopping injection attacks


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •