Stoping MySQL and PHP Injections.

Write your "How To" regarding anything you are comfortable with and you feel it will help the forum members.

NOTE :: All threads started here will appear only after the approval from Administrator
Post Reply
caiba
Posts: 128
Joined: Sun Jul 03, 2005 8:49 am

Stoping MySQL and PHP Injections.

Post by caiba »

Hopefully in this chapter I will show you a great way to stop MySQL and PHP Injections.

What is a MySQL/PHP Injection?
This is really difficult to explain without a good few screen shots, or a lovely little video. But basicly it's when someone sends data to your file (via a form or the URL) to make a mess of your page. Most commonly people will use it to exploit your server and/or steal your database.

Why Protect Myself?
Trust me, one day a user will (maybe not even on purpose) end up injecting your site. It's always better to be secure then unsafe right?

How do they do it?
It's quite simple really (If you do not protect yourself), say your using the code below:


PHP Code:

<?php # Form File V1.0
$field = $_REQUEST[field]; // get form information.

echo $field; // echo it! (exploit may happen here).
?>
Now if I managed to say send the character ';' to your file I could really make a mess of your script.

Oh Noes! How do I stop this!
There are many levels of security you could use. But to keep it simple I shall build you up to good security. First things first, lets tell the script to get the information from where we want it.


PHP Code:

<?php # Form File V1.1
$field = $_POST[field]; // get form information.

echo $field; // echo it! (exploit may happen here).
?>

It's a good idea to stop people maybe messing with there URL and doing something on your page. That and I always find that posting forms looks far more neater.

Now were still not done, someone could still put a evil little ';', so how do we defend ourself from this? easy! Add some quotes around the information. For example


PHP Code:

<?php # Form File V1.2
$field = $_POST['field']; // get form information.

echo '$field'; // echo it! (exploit may happen here).
?>
Keep in mind, when you add the quotes to the posted information it will add a '\' before the quote (To stop it from processing) so you need to make sure you take it back out when your planing to echo the information.

This is good enough security for most scripts, but there is still more we can do. We can add a function to double check for an injection. The script will look like the below


PHP Code:

<?php # Form File V1.3
function make_safe($variable) {
$variable = addslashes(trim($variable));
return $variable;
}
$field = make_safe($_POST['field']); // get form information.

echo '$field'; // echo it! (exploit may happen here).
?>

This is good security for a website receiving information from a user.

What more can be done?
I'm glad your still reading (Sorry for the length of this article). There is way more you can do to secure your site (So much so, I would wear down my fingers if I wrote about them any more). The strings you can use to make your received information that little bit more secure are as follows (In no particular order):

strip_tags() - Is a very aggressive tag that will remove all tags.
htmlentities() - Lacks aggressiveness, will convert quotes. Quite useful mind.
htmlspecialchars() - I like this one the most, It will convert tags to there html form. For example & would become & which is great!

Another thing you could do, is add lots of 'if(){}' functions to check that your data is correct.


Top
kainengland
Posts: 105
Joined: Wed Jul 26, 2006 9:16 am

Post by kainengland »

were do u put this code
____________________________________
KainAussie-Owner of habboorange.com
Top
Post Reply

Return to “How To”