[RESOLVED] Next step to stop hackers!

Zpixel

Hello again. there is an old shop script i want to make it safe against sql injection(I dont want to make vast changes and rewrite the script).

i've written a code to filter get & post variables like this:

$banned = array("select", "from", "concat", "count", "insert", "delete", "database","group","null","ascii","union","where");

foreach($_GET as $x => $y)
if($y!=str_ireplace($banned, "", $y)) exit;

foreach($_POST as $x => $y)
if($y!=str_ireplace($banned, "", $y)) exit;

my hacker associate (the bad character of story) says: "that code works but i can send data to your script using hashig, so i can overcome your filter and reveal your username and password(the weakness of my script)".

now my question: can somebody send data using hashing to a script?
how to do?
and how to prevent?

thanks.

laserlight

That is a wrong approach: blacklisting keywords is subject to an incomplete blacklist, or insufficient checks based on the blacklist. Furthermore, the blacklist may include words that are otherwise valid input, hence risking corruption of data or rejection of perfectly valid input.

A better approach is to use prepared statements. If you cannot do that, or if it is really too much work to change, then the next best approach is to use the proper escape mechanisms for your database interface.

Zpixel

well. this is a heavy script written using smarty. another key function in the script is the

function db_query( $s )
{
$res = array( );
$res['resource'] = mysql_query( $s );

$res['columns'] = array( );
$column_index = 0;
while ( $xwer = @mysql_fetch_field( @$res['resource'] ) )
{
    $res['columns'][$xwer->name] = $column_index;
    ++$column_index;
}
return $res;

}

can we use that mechanism here?

laserlight

No, you have to use it prior to calling this convenience function.

Microsuck

Whatever happened to using mysql_real_escape_string()?

Weedpacket

Whatever happened to using PDO?

Zpixel

can we recognize if somebody is sending hex data toward a script.
I tried to save GET & POST data sent to this address: http://www.pnzagros.com/me/
in hope to find the way hacker acts to extract the administrator username and password but nothing important i could find. what's your opinion?

my user and password:
<snipped>

saved qwery result: attachment qwery.txt
server error log: attachment error_log.zip

laserlight

Eh, even if it is just a test site, you should not be handing out credentials like that.

Anyway, aren't you listening?

Zpixel

listening?

laserlight

Okay, let me try again: to prevent SQL injection, one of the most important steps is to sanitise the data used in your SQL statements. Prepared statements do this very well by separating the SQL statement from the data. Failing that, an appropriate escape mechanism, e.g., casting variables to a numeric type or using a string escape function, should be used.

As such, I do not see what is this business about "recognize if somebody is sending hex data toward a script" and "find the way hacker acts to extract the administrator username and password".

Zpixel

thanks. your explanation was clear.