Web Hosting Forum | Lunarpages


*
Welcome, Guest. Please login or register.
Did you miss your activation email?


Login with username, password and session length
February 09, 2012, 10:45:47 AM

Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: sql sanitation  (Read 2403 times)
durangod
Galactic Royalty
*****
Offline Offline

Posts: 203
« on: June 26, 2010, 04:49:43 AM »
i just thought i would start a thread because does not appear to have been discussed before..  from what i have googled so far, sanitation (a term i have not heard of before) i gather means to simply make sure that the information sent to the db is pure and without any kind of injection of data either before the post or following the post...

for those of you that dont know about this maybe we can learn together, for those of you that do, we dont ask that you do it for us, just give us a helping hand and push us in the right direction when you can... i certainly want to learn better ways to be safe and offer safe process for the members of my site....

now for some reading..... ill be back...  Very Happy
Logged
MrPhil
Berserker Poster
*****
Offline Offline

Posts: 5083
« Reply #1 on: July 12, 2010, 03:13:04 PM »
I believe that you're talking about taking measures (sanitizing input) against "SQL injection attacks". A simple example would be a user name input by the user, for an account to drop. An SQL statement might be
Code:
DELETE FROM tablename WHERE accountname='$username';
Let's say a rogue user enters sam' OR 1=1 OR accountname='george or something like that. The resulting SQL statement would be
Code:
DELETE FROM tablename WHERE accountname='sam' OR 1=1 OR accountname='george';
which would wipe out all your users. In this case, escaping ' (as \') in the input (addslashes) would give
Code:
DELETE FROM tablename WHERE accountname='sam\' OR 1=1 OR accountname=\'george';
which should either give an SQL error, or (more likely) match no records (accountname is not sam' OR 1=1 OR accountname='george).
Logged
durangod
Galactic Royalty
*****
Offline Offline

Posts: 203
« Reply #2 on: July 17, 2010, 12:21:14 PM »
thanks for the info phil, i found alot on the net in dif forums and such, but it seems the examples dont go as far as saying specifically this will prevent injection or they are so confusing in their explanation i just get lost... yours is the first example that i have seen that brings clarity to this..

here is the deal im sure you read in other thread of mine that i got hit with injection because of a function file that was not coded properly and it allow for injection, and in that thread there is a link to a page that says there is no known correction for this files issues, i found that hard to believe so i scrapped project and started over modifying one of my existing owned php projects that i know is safe from injection and stripping it down to where it will work for this project..   but omg what a miserable way to do it...  but now that i read what you said maybe there is hope for the old one and i can get it on the market and it will be safe...

what confuses me is that i know that your method works because i trust you,  but none of my current project uses your idea, what i have been told is that my program protects against injection by making everything an int value...   thats a brain full..

so i thought i would keep this simple not only for me but for others.   here are three samples of the contents of the file that is open to injection, there are tons of functions in this file so here is just three.. two that are auto update and one that is actual input from user.

 
Code:
function addHit($aId)
{
$sql  = "UPDATE `{$this->mPrefix}affiliates` ";
$sql .= "SET `hits` = `hits` + 1 WHERE `id` = '{$aId}'";

return $this->mDb->query($sql);
}




second one

Code:
function addVisitor($aId, $aPid, $aUid, $aReferrer)
{
$sql  = "INSERT INTO `{$this->mPrefix}tracking` ";
$sql .= " (`aff_id`, `pid`, `uid`, `referrer`, `date`, `time`, `hit_ip`) ";
$sql .= " VALUES ('{$aId}', '{$aPid}', '{$aUid}', '{$aReferrer}', NOW(), NOW(), '{$_SERVER["REMOTE_ADDR"]}') ";

return $this->mDb->query($sql);


third one, actual input from user

Code:
function setNewPass($aAff)
{
if((INT)$aAff['id']<=0)
{
return;
}
$sql = "UPDATE `{$this->mPrefix}affiliates` SET ";
$sql .= "`password` = md5('{$aAff['password']}') ";
$sql .= "WHERE `id` = '{$aAff['id']}'";

return $this->mDb->query($sql);
}


so what your saying is adding the \ in the appropriate places for each of these functions will allow for escape and prevent injection...
« Last Edit: July 17, 2010, 12:29:00 PM by durangod » Logged
MrPhil
Berserker Poster
*****
Offline Offline

Posts: 5083
« Reply #3 on: July 17, 2010, 01:11:59 PM »
Quote from: durangod on July 17, 2010, 12:21:14 PM
yours is the first example that i have seen that brings clarity to this..
Thank you!

Quote
what i have been told is that my program protects against injection by making everything an int value...   thats a brain full..
Well, if the field is an integer, and you take steps to ensure that all inputs are actually just integers, that should work too... The idea is that, given the field types and what operations are being done (INSERTs, SELECTs, UPDATEs, etc.) using these inputs, try to figure out all the bogus inputs that someone might give, to get around whatever security you might have. In my previous posting, I gave an example where a field was being compared against an input, but someone who knew (or could guess) what the SQL statement was could fashion their input so as to fool the SQL statement into doing something different than what you intended.

Quote
Code:
$sql .= "SET `hits` = `hits` + 1 WHERE `id` = '{$aId}'";
If you have done something to absolutely verify that $aId is an integer and nothing but an integer, that should be safe. The single quotes ' would not even be needed. However, if a user could sneak in 123' OR 1=1 OR id='456, they would get a "WHERE" clause that was always true (so all records would have their "hits" incremented).

Quote
Code:
$sql .= " VALUES ('{$aId}', '{$aPid}', '{$aUid}', '{$aReferrer}', NOW(), NOW(), '{$_SERVER["REMOTE_ADDR"]}') ";
If you have verified that $aId, $aPid, $aUid (user inputs?) are integers, that should be OK. If there is a mismatch between the field type and what you're trying to store in the record, you'll probably get an SQL error. BTW, I see you using NOW() for both date and time fields. Be sure to check that it's doing the expected thing (is `date` actually a date field, and similar for `time`?). date and time are SQL reserved words, so it's not good to use them as field names (putting them in `backticks` should prevent an error).

Quote
Code:
if((INT)$aAff['id']<=0)
{
return;
}
If you've confirmed that casting $aAff['id'] to an int will return a non-positive integer for any incorrect input, then it sounds like you're set. Just be sure to check cases such as 123' OR 1=1 OR id='456 that you don't pass inspection with a 123 value. What you might consider doing is assigning the cast value into a local integer variable, and using that in the query:
Code:
$local = (int)$aAff['id'];
   if ($local <= 0) return;
$sql = "UPDATE `{$this->mPrefix}affiliates` SET ";
$sql .= "`password` = md5('{$aAff['password']}') ";
$sql .= "WHERE `id` = '{$local}'";

Quote
so what your saying is adding the \ in the appropriate places for each of these functions will allow for escape and prevent injection...
Don't do it by rote. You need to understand what the hacker could possibly do with bad input, and guard against it appropriately. Sometimes it's just running the input through addslashes() so that ' in the input doesn't actually end the term in the SQL statement (with more stuff following that does bad things). Other times you may need to do other things -- there are many tools in the toolbox.
Logged
durangod
Galactic Royalty
*****
Offline Offline

Posts: 203
« Reply #4 on: July 17, 2010, 06:04:40 PM »
thank you phil, that is invaluable feedback and very elequently put, crystal clear....  Thumbs Up
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to: