SitePoint Sponsor

User Tag List

Page 2 of 2 FirstFirst 12
Results 26 to 44 of 44
  1. #26
    SitePoint Zealot
    Join Date
    Jul 2002
    Posts
    144
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the link bbolte, I read that one already (I think it was a link in previous posts). That article mainly covers ASP. Of course, its still good to know if I need to use ASP in other projects. But as of now, I am looking for PHP resources. I have found some like the articles and posts that Dr. Pepper and HarryF has made.

    ex. magic quotes are a NO NO
    so I use the addslashes()
    and the ereg_replace( ) to replace any suspicious characters.

    I hope I am using the right tools..


    Spaz
    Just a little boy trying to make his way into the world...
    ~~~Spaz Boy
    Programmer + Gamer = ProGamer

  2. #27
    SitePoint Member
    Join Date
    Aug 2002
    Posts
    12
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Uh, PHP functions?

    I'll feel really stupid if anyone has already answered this and I somehow didn't realize it, but are there any handy PHP equivilents to the ASP functions all those aritcles seem to be using? Such as one that replaces the ' with ''. Also is there an easy way to see if there are certain characters in the userinput that we might want to keep out? I'm new to this--please, don't yell at me.
    Antonaki Kouklaki of
    Antonios Demetrios
    www.antometrios.cjb.net

  3. #28
    The doctor is in... silver trophy MarcusJT's Avatar
    Join Date
    Jan 2002
    Location
    London
    Posts
    3,509
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here's another ASP-orientated one, although as ever, the same principles apply to all development platforms...

    http://www.4guysfromrolla.com/webtech/112702-1.shtml
    MarcusJT
    - former ASP web developer / former SPF "ASP Guru"
    - *very* old blog with some useful ASP code

    - Please think, Google, and search these forums before posting!

  4. #29
    The doctor is in... silver trophy MarcusJT's Avatar
    Join Date
    Jan 2002
    Location
    London
    Posts
    3,509
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    And another, specifically on using MSSQL stored procedures to avoid injection attacks:
    http://aspalliance.com/385
    MarcusJT
    - former ASP web developer / former SPF "ASP Guru"
    - *very* old blog with some useful ASP code

    - Please think, Google, and search these forums before posting!

  5. #30
    SitePoint Addict marycp's Avatar
    Join Date
    Feb 2003
    Location
    Monroe, CT
    Posts
    229
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Cold Fusion has protection against this by using <CFQUERYPARAM...> to ensure that the data meets the requirements. You can <CFTRY> and catch the error. It can mean the end of your data if someone sents in a delete command as an ID.

  6. #31
    SitePoint Addict
    Join Date
    Mar 2004
    Location
    Europe
    Posts
    214
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question

    I'm using php/mySQL.

    I have a site that has no accounts, and no way for a user to (legally) write to the database, which only lets the user query a database

    Simple Q: Can php/mysql write priveledges be set so that there is no way for injections to alter the database? (ie the only way to alter the db is to log into the host account and use phpAdmin).
    all code tested in:
    FireFox0.9, Opera7.51, Mozilla1.7, InternetExplorer5+6

  7. #32
    The doctor is in... silver trophy MarcusJT's Avatar
    Join Date
    Jan 2002
    Location
    London
    Posts
    3,509
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hot off the presses (so hot, it's dated september, but it's only August the 20th):

    MSDN: Stop SQL Injection Attacks Before They Stop You

    MarcusJT
    - former ASP web developer / former SPF "ASP Guru"
    - *very* old blog with some useful ASP code

    - Please think, Google, and search these forums before posting!

  8. #33
    SitePoint Guru hgilbert's Avatar
    Join Date
    Dec 2004
    Location
    London
    Posts
    839
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    go stored procedure

    that is one thing that keeps me off mySQL and PHP to a certain extent
    you have to be very aware of security issues here
    when mySQL present something akin to stored procedures I will jump in

  9. #34
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How to write injection-proof PL/SQL
    67 pages on the matter

  10. #35
    SitePoint Member
    Join Date
    Sep 2008
    Posts
    4
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by MarcusJT View Post
    I thought I'd better make sure that everyone is aware of a particular class of security vulnerabilities called malicious SQL code injections. While there are many other security vulnerabilities, these Here's a few sites to start you off (!):
    M@rco
    If you use parameters in your query, than there is no chance to make SQL Injection. You can also use LINQ.

  11. #36
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

  12. #37
    SQL Consultant gold trophysilver trophybronze trophy
    r937's Avatar
    Join Date
    Jul 2002
    Location
    Toronto, Canada
    Posts
    39,338
    Mentioned
    63 Post(s)
    Tagged
    3 Thread(s)
    Quote Originally Posted by Aleksejs View Post
    10 seconds of lame singing to find the back button

    cute idea, though

    rudy.ca | @rudydotca
    Buy my SitePoint book: Simply SQL
    "giving out my real stuffs"

  13. #38
    SitePoint Member
    Join Date
    Oct 2010
    Posts
    6
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Setup and execute all queries as stored procedures. The way SQL parameters are passed prevents the use of apostrophes and hyphens in a way that would allow an injection attack to occur. In addition, it allows database permissions to be restricted to only allow specific procedures to be executed. All user input must then fit into the context of the procedure being called and it is less likely an injection attack could occur.

  14. #39
    SitePoint Zealot Amit Yaron's Avatar
    Join Date
    Jan 2011
    Location
    Hod Haharon, Israel
    Posts
    107
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Lightbulb

    If possible, use HereDoc or NowDoc, which escapes input strings.
    When the input string is escaped a query won't look like
    SELECT *
    FROM users
    WHERE username='admin'; -- '
    AND password = ....

    (username='admin' and the rest is a cooment.)

    NowDoc, will make it:
    SELECT *
    FROM users
    WHERE username='admin\';--' ...

  15. #40
    SQL Consultant gold trophysilver trophybronze trophy
    r937's Avatar
    Join Date
    Jul 2002
    Location
    Toronto, Canada
    Posts
    39,338
    Mentioned
    63 Post(s)
    Tagged
    3 Thread(s)
    Quote Originally Posted by Amit Yaron View Post
    If possible, use HereDoc or NowDoc
    you might want to explain which language(s) these are available in
    rudy.ca | @rudydotca
    Buy my SitePoint book: Simply SQL
    "giving out my real stuffs"

  16. #41
    SitePoint Zealot Amit Yaron's Avatar
    Join Date
    Jan 2011
    Location
    Hod Haharon, Israel
    Posts
    107
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by r937 View Post
    you might want to explain which language(s) these are available in
    You are right. I know of two languages that support HereDoc and NowDoc:
    PHP and Ruby.

    In PHP, you would use:
    $myString=<<<EOS
    .
    .
    .
    EOS;

    OR <<<'EOS';

    In Ruby, you would use '<<' instead of '<<<'.

  17. #42
    SitePoint Member
    Join Date
    Mar 2011
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    go stored procedure

    that is one thing that keeps me off mySQL and PHP to a certain extent
    you have to be very aware of security issues here
    when mySQL present something akin to stored procedures I will jump in

  18. #43
    SQL Consultant gold trophysilver trophybronze trophy
    r937's Avatar
    Join Date
    Jul 2002
    Location
    Toronto, Canada
    Posts
    39,338
    Mentioned
    63 Post(s)
    Tagged
    3 Thread(s)
    Quote Originally Posted by badmood View Post
    when mySQL present something akin to stored procedures I will jump in
    news flash... mysql version 5 supports stored procedures

    mysql version 5 came out in beta in march 2005 and in production release in october 2005

    the time is well overdue for you to jump in

    rudy.ca | @rudydotca
    Buy my SitePoint book: Simply SQL
    "giving out my real stuffs"

  19. #44
    SitePoint Enthusiast
    Join Date
    Jun 2004
    Location
    Pennsylvania
    Posts
    51
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Great discussion.

    How much overhead will it create if a coder were to create an abstract layer that performed security checks on any data that was to be parsed to the database? What I mean is, if every form, or user input were to be passed to a security object that would then scrutinize the data before returning it to the database update routine, would it add significant overhead to the performance of the script?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •