|
 |
|||
| Register--Login--Top 20 Posters--Search Topics |
Forum Main>>Tutorials>>SQL injection protection and data validation | ||
Chipmunk Rank:Settler of Bobland Group: Head Administrator Posts: 2867 IP Logged PM ID and RPS ID: 1 PM [Chipmunk] View Member Photo | Last replied to on Mon May 28, 2007 08:30:58 Edit Post|Quote This is a short tutorial to teach you how to parse out mysql injection attacks that come from form data or cookie data. It will also teach you how to validate data through stripping out white space, how to not allow spaces in usernames, and the basics of regular expression matching in data validation. First lets go over how to parse out mySQL injection techniques, this can be done with a few lines of code at the top of every page. Usually you would just write these in a file and include it in all your php files.
I use this in all my scripts and have used it as an example many times in my other tutorials but never really explained what it does. This basically 'escapes' all your data correctly whether you have magic_quotes turned on or not. $_GET, $_POST, and $_COOKIE data are always sent as arrays in PHP. The array_map function takes two parameters: The first is a function or callback and the second is an array. Array_map will apply the function passed in as the first parameter to all elements of the array passed in as the second parameter. mysql_escape_string is the function we use to parse out mySQL data injection. It essentially escapes the data by inserting slashes. Note that we do this to $_GET, $_POST, and $_COOKIE to clean all possible data that is passed in. The code:
Checks to see if magic quotes is turned on or not in PHP. Magic quotes is a setting that will automatically add slashes and 'clean' your $_POST, $_GET, and $_COOKIE data, but its not as good as mysql_real_escape_string. Since you don't want to double-escape your data, we have to strip the slashes using the stripslashes() function before we apply mysql_real_escape_string is get_magic_quotes_gpc is turned on. Note that if you are using certain things like foreach loops on $_POST, $_GET, or $_COOKIE data, you may not want to do this as it does change all the array data. Note that you can also use the same technique and put something like:
to parse out html injections, but that means that none of your POST data will have HTML commands in them. Ok, now that we have covered SQL injections, we will go over some basic data validation. For these examples, we will assume that you have passed in the variable $users from a form that represents the user's name. First we want to make sure the data isn't blank so we do:
First we take the post information of users and store it in $users, then trim() trims off all the leading and ending whitespace. After trimming off the whitespace, when use strlen(), which counts the number of characters in the string. If that number is less than 1, which means its empty, we display a message saying that they didn't submit any data. Next, we will see how to disallow those annoying spaces within usernames. Many times, login names with spaces cause trouble and leads the way to vulnerabilities.
We introduce the substr_count() function which takes two parameters, the variable you want to check and a character, in this case, a space. The functon counts how many times the character occurs within the variable. Our if statements stays that if space occurs more than zero times within the variable, then we print put a message stating that spaces are not allowed in usernames. Now on to the last part, regular expression validating. Regular expression validating is the best and most powerful way of validating data. In this example, you will learn how to only accept alpha-numeric data.
preg_match is PHP's regular expression matching function, it takes two paramters: The pattern you want to match, and data you want to match on. This particular pattern returns true if the variable $users only contains alpha-numeric data. Say you want to allow spaces in the middle of the name but not at the end or beginning and you also want to allow underscores and hyphens(which is pretty common online), then you would do the following.
As you can see, we have added the {0,1} between alpha numerics to allow spaces and also have added hypen and underscores in the pattern to allow those. Thats all for this tutorial. Taking these simple steps will prevent many exploits in your scripts. ----------------------------- Chipmunk, Supreme Administrator | |||||||
LegosJedi Rank:acorn Group: members Posts: 2 IP Logged PM ID and RPS ID: 12324 [PM LegosJedi] | Posted at Thu Apr 12, 2007 08:50:47 Edit post|Quote There are some other ways to prevent SQL Injection. If you have a variable that needs to be an integer, you can use intval() to make sure that it is an integer.Another thing is to pretty much never have "register_globals" on. What this means is it will globalize certain variables. It would turn $_GET['var'] in $var.While this may seem good, consider the following script that would have "register_globals" on:
<span style="color: rgb(0, 0, 0); font-family: Times New Roman;">Now, what would happen if we were to load that script with an extra parameter? (http://www.site.com/script.php?authorized=true) Then, a normal guest will have access to that highly sensitive data.<span style="font-weight: bold;">Summary</span>- Use intval to make sure a certain variable is an integer.- Turn "register_globals" off in the PHP ini file.<span style="font-weight: bold;"></span></span></font></span> EDIT: O_o Woah, something is seriously messed up. Are you using strip_tags when a post is edited? I assume that you parse the BB Code before you submit it into the database. To prevent this, you should parse it when the thread is viewed. ----------------------------- Firefox owns. Period. [url=http://www.firefox.com/]Get Firefox now![/url] | |||||||
| Chipmunk Rank:Settler of Bobland Group: Head Administrator Posts: 2867 IP Logged PM ID and RPS ID: 1 [PM Chipmunk] View Member Photo | Posted at Thu Apr 12, 2007 12:03:23 Edit post|Quote I do, but strip_tags has more takes 2 parameters, the 2nd parameter are tags you allow. I allow some HTML tags so the WYSIWYG will work. ----------------------------- Chipmunk, Supreme Administrator | |||||||
| pmt3ddy Rank:acorn Group: members Posts: 1 IP Logged PM ID and RPS ID: 12920 [PM pmt3ddy] RPS score: 0 RPS challenge | Posted at Mon May 28, 2007 08:30:58 Edit post|Quote Sorry for bumping an old topic but I would like to say thank you for showing how to prevent these SQL attacks.Since I'm new to coding in php I had no idea how to prevent them and I was a little worried about SQL attacks in the past. This thread deserves two thumbs up. | |||||||
Page: 1 |