08/25
2008
SQL injection attacks: Part 3: Securing your forms and preventing SQL injection attempts (PHP/MySQL) (7,317 views)
While the most recent SQL injection attack attempts are targeting MSSQL servers, chances are other databases will be targeted soon.
Of course it is and always has been good practice to double-check input, but maybe these attacks were the wake-up call some developers needed.
Basically every programming language is vulnerable, it is up to the developer and his diligence to secure his applications and prevent the success of such malicious attacks to the best of his knowledge.
Here’s a very simple function everyone can use to scan and clean the input received:
function cleanvals($myval) { if(get_magic_quotes_gpc()){ $myval=stripslashes($myval); //get rid of triple slashes mysql_real_escape_string would create } return $myval; } function cleanup($myinput){ if(is_array($myinput)){ foreach($myinput as $key=>$val){ //echo "$myinput[$key]<br>"; //check old value of $val $myinput[$key] = cleanvals($val); //echo "$myinput[$key]<br>"; //check new value of $val } return array_map("mysql_real_escape_string",$myinput); } else{ $myinput=cleanvals($myinput); return mysql_real_escape_string($myinput); } }
First, we pass all input to cleanup().
Then we check if the input is an array and if it is, the cleanvals() function is called and applied to the value of the array key. If the input is a string, cleanvals() is being applied directly on the string.
cleanvals() simply checks for get_magic_quotes_gpc(), and removes the slashes get_magic_quotes_gpc() might have already added; otherwise we end up with triple slashes later on.
If our input was an array, we return the cleaned array using array_map() which allows us to apply a callback function before returning it.
As our callback function, we use mysql_real_escape_string() which is described as follows:
[quote] Escapes special characters in the unescaped_string , taking into account the current character set of the connection so that it is safe to place it in a mysql_query(). If binary data is to be inserted, this function must be used.
mysql_real_escape_string() calls MySQL’s library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ‘, ” and \x1a.
This function must always (with few exceptions) be used to make data safe before sending a query to MySQL. [/endquote]
If you are using PHP < 4.3.0 you have to use
mysql_escape_string($myinput);
wherever
mysql_real_escape_string($myinput);
is used in the above code.
You can always scan for parameters you definitely don’t want to see in your input in the first place, like DECLARE, CAST, DROP, etc and either replace them during the cleanup process, or call another function to prevent any further execution of your code.
To check for *disallowed* words in your input string and to delete them, simply add
$badbadsql = "(declare)|(cast)|(drop)"; $myval= eregi_replace($badbadsql, "", strtolower($myval));
before
if(get_magic_quotes_gpc()){
I’ve also used strtolower to assure we’re catching UPPER, lower and mixed case statements.
Instead of replacing $badbadsql you can simply call another function to e.g. stop execution of your code and display an alert, record the offender’s IP, blacklist him and send an email to the webmaster – it’s totally up to you.
To use the cleanup function simply call it whenever you receive input and run the input through it:
$_POST=cleanup($_POST); $_GET=cleanup($_GET); $_COOKIE=cleanup($_COOKIE); $_REQUEST=cleanup($_REQUEST); $_SERVER['QUERY_STRING']=cleanup($_SERVER['QUERY_STRING']);
Keep up the good work.
[…] UPDATE (8-23-2008): Looking for answers? Check Part 2 UPDATE (8-25-2008): Securing your forms to prevent future attacks […]