where's the salt?

08/25
2008

SQL injection attacks: Part 3: Securing your forms and preventing SQL injection attempts (PHP/MySQL) (7,239 views)

While the most recent SQL injection attack attempts are targeting MSSQL servers, chances are other databases will be targeted soon.

Of course it is and always has been good practice to double-check input, but maybe these attacks were the wake-up call some developers needed.

Basically every programming language is vulnerable, it is up to the developer and his diligence to secure his applications and prevent the success of such malicious attacks to the best of his knowledge.


Here’s a very simple function everyone can use to scan and clean the input received:

function cleanvals($myval) {
   if(get_magic_quotes_gpc()){
      $myval=stripslashes($myval); 
      //get rid of triple slashes mysql_real_escape_string would create
   }
   return $myval;
}

function cleanup($myinput){
    if(is_array($myinput)){
      foreach($myinput as $key=>$val){
         //echo "$myinput[$key]<br>"; 
         //check old value of $val
         $myinput[$key] = cleanvals($val);
         //echo "$myinput[$key]<br>"; 
         //check new value of $val
      }
	return array_map("mysql_real_escape_string",$myinput);
    }
    else{
      $myinput=cleanvals($myinput);
      return mysql_real_escape_string($myinput);
    }
}

First, we pass all input to cleanup().

Then we check if the input is an array and if it is, the cleanvals() function is called and applied to the value of the array key. If the input is a string, cleanvals() is being applied directly on the string.

cleanvals() simply checks for get_magic_quotes_gpc(), and removes the slashes get_magic_quotes_gpc() might have already added; otherwise we end up with triple slashes later on.

If our input was an array, we return the cleaned array using array_map() which allows us to apply a callback function before returning it.

As our callback function, we use mysql_real_escape_string() which is described as follows:
[quote] Escapes special characters in the unescaped_string , taking into account the current character set of the connection so that it is safe to place it in a mysql_query(). If binary data is to be inserted, this function must be used.

mysql_real_escape_string() calls MySQL’s library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ‘, ” and \x1a.

This function must always (with few exceptions) be used to make data safe before sending a query to MySQL. [/endquote]

If you are using PHP < 4.3.0 you have to use

mysql_escape_string($myinput);

wherever

mysql_real_escape_string($myinput);

is used in the above code.

You can always scan for parameters you definitely don’t want to see in your input in the first place, like DECLARE, CAST, DROP, etc and either replace them during the cleanup process, or call another function to prevent any further execution of your code.

To check for *disallowed* words in your input string and to delete them, simply add

$badbadsql = "(declare)|(cast)|(drop)";
$myval= eregi_replace($badbadsql, "", strtolower($myval));

before

if(get_magic_quotes_gpc()){

I’ve also used strtolower to assure we’re catching UPPER, lower and mixed case statements.

Instead of replacing $badbadsql you can simply call another function to e.g. stop execution of your code and display an alert, record the offender’s IP, blacklist him and send an email to the webmaster – it’s totally up to you.

To use the cleanup function simply call it whenever you receive input and run the input through it:

$_POST=cleanup($_POST);
$_GET=cleanup($_GET);
$_COOKIE=cleanup($_COOKIE);
$_REQUEST=cleanup($_REQUEST);
$_SERVER['QUERY_STRING']=cleanup($_SERVER['QUERY_STRING']);

Tags:

Date posted: Monday, August 25th, 2008 at 2:57 am (9 years, 0 months ago.)
Posted in: business mix, tech mix
Comments RSS Feed Comments RSS Feed
Reply
Ttrackback
About the author:

Nina Khoury is a software engineer, self-described geek and EVP of ninanet site solutions. She founded one of the first online agencies in Austria in 1997, taught at various universities for seven years and now lives in Sin City - Las Vegas, NV.

2 Responses to “SQL injection attacks: Part 3: Securing your forms and preventing SQL injection attempts (PHP/MySQL)”

  1. 1

    Keep up the good work.

    Migdana on November 9th, 2008 at 3:50 pm
  2. 2

    […] UPDATE (8-23-2008): Looking for answers? Check Part 2 UPDATE (8-25-2008): Securing your forms to prevent future attacks […]

    SQL injection attacks: no end in sight? [internet mix] on March 13th, 2010 at 8:04 am

Leave a Reply


search

Categories

Send this to friend