injection attacks.. just wana get something straight.

Tea_J

There's been a lot of code injection and sql injection going on around lately...

went through several articles about SQL injection as well as documented exploits in popular php software such as vBulletin...

Now.. it seems that SQL Injection is mainly present if a variable/string is being passed to the database without escaping quotes..

i've sum up 2 most common tips to avoid SQL injection

1) always addslashes your strings if magic quotes are off on your server
2) use mysql's addslashes built in routine to do so.

but i was thinking. if quote is the root problem of this big issue, why not just enable magic_quotes_gpc = ON, or turning it on during runtime, or embed on top of your scripts addslash routines if magic quotes are off such as:

if(get_magic_quotes_gpc){

$GET = array_map(addslashes,$GET);

}

...and be done with it....

I was also thinging, better yet, forget addslahses.. if you dont wana mess with adding and stripping slashes all the time, why not simply convert quotes to "%27" or some other form?

..... just that.. i dont see what's the big deal with all the big talk about techniques, and special methods, etc etc.. i could be missing something here.. or i could be in the right track for thinking this is such a simple problem that's just overlooked with carelessness at times.

hmm. sorry, i guess reading all these articles got me paranoid and confused..

MarkR

Tea_J wrote:
Now.. it seems that SQL Injection is mainly present if a variable/string is being passed to the database without escaping quotes..

Yes, without escaping quotes correctly.

i've sum up 2 most common tips to avoid SQL injection

1) always addslashes your strings if magic quotes are off on your server

No, never do that.

addslashes is not the correct way to escape quotes in any database. Each database has its own method, and addslashes() is not correct for any of them.

For the same reason, magic quotes is ultimately extremely misguided and will definitely cause problems.

2) use mysql's addslashes built in routine to do so.

How are you expecting to pass the string to THAT routine correctly? Surely that would be a catch-22, because you'd need to escape the string in order to pass it correctly into there?

but i was thinking. if quote is the root problem of this big issue, why not just enable magic_quotes_gpc = ON,

Because:

It doesn't escape strings correctly
It escapes things even when escaping is not necessary, thus introducing corruption

if(get_magic_quotes_gpc){
$GET = array_map(addslashes,$GET);
}

For the same reason that magic_quotes are bad. Because it is not the correct place to do it, and will cause data corruption.

...and be done with it....

And be done with any notion of correct data.

I was also thinging, better yet, forget addslahses..

Ahh, some sense at last!

if you dont wana mess with adding and stripping slashes all the time, why not simply convert quotes to "%27" or some other form?

Because, you want to store the correct data in your database.

You can store data in your database in any format you like, but if you don't store it in its correct (i.e. original) form, any advantages from having it in a DB will be lost:

Indexing won't work correctly
Searching won't work correctly
Integration with third party applications will be much more difficult

..... just that.. i dont see what's the big deal with all the big talk about techniques, and special methods, etc etc..

The One True Way of avoiding SQL injection, is by using parameterised (i.e. prepared) queries. There is no other way which is as sensible. Every other method is some kind of cludge by comparison. This method is also entirely independent of what database you're using, and always gets the data right and uncorrupted, as well as being invulnerable to SQL injection.

Mark

Tea_J

Hi mark.. thanks for your input.. at least it clarified with me that this whole thing is just a quote problem..

I have decided to do this.. (after further research and reading of replies such as yours)

my environment is always PHP and MYSQL on APACHE or windows.. i dont do other databases..

My procedure:
1) detect if magic quotes is on
2) stripslashes on all POST GET COOKIE vars (quotes cause problems in SQL queries only)
3) anything that i will put in the database i run through ADDSLASHES() ..yes.. you heard me right.. 🙂
POINTS
- I've seen lots of suggestions to use mysql_real_escape_string instead.
- i've read about addslashes are actually fine for MySQL really (got this info from different sources is from php.net comments, several articles, MySQL manual itself ..
- mysql_real_escape_string() requires a connection and adds to the "keep in mind" thing...want things to be simple really.

an alternative is to create my own addslash routine that replaces certain bad boy characters only.. but what's the point? addslashes works a gem according to lots..

What you guys think? can i sleep now? lol

Drakla

http://www.webmasterstop.com/63.html

Tea_J

@
been there prior to this post.. thanks anyway