TinyLnk
05-20-2007, 07:14 PM
How do you protect yourself?
On my site, users submit urls and they get stored in the database after being ran through urlencode() which as far as I know makes it impossible to inject through it. The only bad part is when browsing my database the urls are so ugly and unreadable. Anyone have a better solution? I'm to lazy to search for the SQL commands :P Anyways, just curious.
For those who dont know, SQL Injection is an attack that uses the vulnerabilities of your scripts to take control of your database. They can run any command on your database, including deleting all of your tables! You have to censor any inputs that you accept otherwise its a vulnerability.
Example:
A simple guestbook that accepts a name, an email and a message.
In place of.. well any of the fields, they could put an SQL command. This command will get executed by the sql server. It will be running under whatever user you connected and logged in as in the script, so It can do anything your script can do. And if your script sends results from the database to the user, they could even retrieve passwords and other information from the database.
Don't worry though, IT IS PREVENTABLE. Dont send anything to sql without first examining it(uhh with the script..). Look for sql commands in the string the user submitted. I.E.:
UPDATE
DROP
SELECT
INSERT
ALTER
CREATE
RENAME
Keep inmind also, that the HTTP_USER_AGENT field can be modified. So if you are tracking browsers, you may want to check that too.
I have no links for information on preventing injection though, maybe someone else has info to share.
On my site, users submit urls and they get stored in the database after being ran through urlencode() which as far as I know makes it impossible to inject through it. The only bad part is when browsing my database the urls are so ugly and unreadable. Anyone have a better solution? I'm to lazy to search for the SQL commands :P Anyways, just curious.
For those who dont know, SQL Injection is an attack that uses the vulnerabilities of your scripts to take control of your database. They can run any command on your database, including deleting all of your tables! You have to censor any inputs that you accept otherwise its a vulnerability.
Example:
A simple guestbook that accepts a name, an email and a message.
In place of.. well any of the fields, they could put an SQL command. This command will get executed by the sql server. It will be running under whatever user you connected and logged in as in the script, so It can do anything your script can do. And if your script sends results from the database to the user, they could even retrieve passwords and other information from the database.
Don't worry though, IT IS PREVENTABLE. Dont send anything to sql without first examining it(uhh with the script..). Look for sql commands in the string the user submitted. I.E.:
UPDATE
DROP
SELECT
INSERT
ALTER
CREATE
RENAME
Keep inmind also, that the HTTP_USER_AGENT field can be modified. So if you are tracking browsers, you may want to check that too.
I have no links for information on preventing injection though, maybe someone else has info to share.