Question about MySQL Injections - HTML Forums

Novus Mortuus · 07-14-2008, 07:34 AM

In the forum i've made, i removed the mysql_real_escape_string from the subject and messages, because it's annoying and puts a \ in front of every ', and it looks bad.
But i'm worried about the injections. I've looked them up and tried it myself to see if it can be done, i've tried things like:

' OR 1 '
"' OR 1 '"
"'; INSERT INTO user_info (user_name) VALUES ('INJECTION') '"

etc...

But it doesn't run it, it just prints that out.

So i suppose my question is this:

Would it be okay to leave it like this, or am i just doing it wrong when i try to test the injections and it would actually be easy to inject something?

Thanks.

Horus_Kol · 07-14-2008, 09:37 AM

Quote:

Originally Posted by Novus Mortuus

In the forum i've made, i removed the mysql_real_escape_string from the subject and messages, because it's annoying and puts a \ in front of every ', and it looks bad.

don't blame mysql_real_escape_string() - blame magic_quotes...

this is an insidious PHP config directive that most servers have switched on, since it was introduced as a "security" feature...
basically, it forces PHP to escape quotes in strings coming from GET, POST, COOKIE (and in other situations).
and what you're getting, when you use the mysqli escape function, is the effect of a double-escape.

fixable, though:
http://au.php.net/magic_quotes

and thankfully, it will be dead in PHP 6 (and none too soon, I say)

RogerRamjet · 07-15-2008, 08:37 PM

It should be dead in php5 already: default is now OFF. If you are using php5 and some dumb server admin has turned magic quotes on then change host.

As to sql injection attacks, use PDO and you don't have to worry.

Horus_Kol · 07-15-2008, 09:42 PM

Quote:

Originally Posted by RogerRamjet

It should be dead in php5 already: default is now OFF. If you are using php5 and some dumb server admin has turned magic quotes on then change host.

You're right about it defaulting to OFF, but it isn't dead...

Many hosting services will have it switched on in PHP5 because of legacy issues - or at least, that's the argument...
Personally, I say that the script developer should be responsible for the security of his scripts - and not the end-user/host

RogerRamjet · 07-15-2008, 09:53 PM

Quote:

Originally Posted by Horus_Kol

Many hosting services will have it switched on in PHP5 because of legacy issues - or at least, that's the argument...

Which is why I say 'change host' - plenty of hosts out there that don't pull that crap.

Quote:

Originally Posted by Horus_Kol

Personally, I say that the script developer should be responsible for the security of his scripts - and not the end-user/host

Well yes, you can use the get magic quotes gpc in every one of your scripts: especially if you expect to port it about, or sell it on. Personally, I prefer to see this handled at the server level so that you site is not on a server that can be compromised by some other dumb f** no matter how good your own code is.

Vege · 07-25-2008, 09:17 AM

Now how hard it is to add around 10 lines of code (one function) to your script that is added to every page. IMHO all projects have those.

You should never ever have get_magic_quotes checks more than in one place, and rest code assumes they are off or stripped away.
All data incoming to database should have mysql_real_escape_string applaid to it if the values beeing inserted are strings.

In the following example it's useless to use mysql_real_escape_string as the value don't have '' around it as it's a INT beeing inserted.
$sql ="insert into numbers (nro) values(".mysql_real_escape_srting('5').")";

With this you should be ok with every possible server, just call it once in your script to remove the effect of magic_quotes.

Quote:

<?php
if (get_magic_quotes_gpc()) {
$in = array(&$_GET, &$_POST, &$_COOKIE);
while (list($k,$v) = each($in)) {
foreach ($v as $key => $val) {
if (!is_array($val)) {
$in[$k][$key] = stripslashes($val);
continue;
}
$in[] =& $in[$k][$key];
}
}
unset($in);
}
?>