SQL Injection - A simple way to prevent

Test33 · #1 06-15-2006, 11:21 PM

Alright, I've made a post on another thread with this way.

By turning ON magic quotes this should stop most SQL injections. I haven't done a lot of testing, but I have not be able to inject anything into my MySQL database.

Here is how you would do an SQL injection.

Code:

"a'; DROP TABLE users; SELECT * FROM data WHERE name LIKE '%"

in the place of username/password etc fields. Now, with magic quotes off, this is the full sql query

Code:

SELECT * FROM users WHERE name = 'a'; DROP TABLE users; SELECT * FROM data WHERE name LIKE '%';

This would stop the sql code from being executed.

Now, this is what it would look like with magic quotes on

Code:

SELECT * FROM users WHERE name = 'a\'; DROP TABLE users; SELECT * FROM data WHERE name LIKE \'%';

Remember, that this will not stop all sql injections, but it should stop most of them.

Since, I do not have a reputation here, at least I don't think I do. I'll give you the tutorial on how to do it, right here, free. Then you can contact me if you still need help.

Since most people today just run shared hosting, you do not have access to your php.ini, but I also found out, that it is possible to do it from your .htaccess file, however, it doesn't always work. So instead all you need to use is the "addslashes" function.

Open the file that you want to add the function to.
Find the variable that you want to add slashs to. I'll call it $a;
Below it, add $a = addslashes($a);

Make sure your names for the variables are correct. You should have basic knowledge of PHP before attempting this.

If you have access to your php.ini just do this:

Open php.ini
Find magic_quotes_gpc off
change off to on

This will affect ALL your scripts, and might not be good, but it's the easy way out.

Now, I haven't looked too much at GC HYIP script, since the code is messy =P. But I'll try to add a function to make it easier for all of you. Or unless, naversay wants to, or if he already has.

I want other people to list their ways of 'patching' this problem up. I'm sure their are better ways then using addslashes function. So post it. Also, tell me if this will work or wont work. I've only tested it on my projects, 'cause I can read the code =)

neversay · #2 06-16-2006, 12:34 AM

Well this is the function to test if you magic quote is on

$gpc = ini_get ('magic_quotes_gpc');

Test33 · #3 06-16-2006, 12:47 AM

Also noted, that magic quotes will not be implanted in PHP6. Even though, almost everyone is still on PHP4.

You can set it using the set magic quotes function, however, for some reason it doesn't not work with my server, so I did not add that to my post above, as I wouldn't be able to support it.

neversay · #4 06-16-2006, 12:50 AM

That's what I've been doing.
I just filtering user input that is related to sql queries myself.

CashMonster · #5 06-16-2006, 01:00 AM

Very helpful thanks

Test33 · #6 06-16-2006, 01:42 AM

Alright, I think this might work, but I have not tested it. I will later, but I just wanted to get you take on it.

For the GC HYIP, at line (or around) 26, where you have $resualt = mysql_query($query)...
If you place above that $query = $ addslashes($query); then it should place the slashes into the all queries of the HYIP.