9 Replies - 1162 Views - Last Post: 25 May 2012 - 04:43 PM Rate Topic: -----

#1 rpgmaker  Icon User is offline

  • D.I.C Head

Reputation: 2
  • View blog
  • Posts: 224
  • Joined: 02-October 11

Sql Injection

Posted 25 May 2012 - 01:54 PM

Hello id thought this would be the best place to come to ask about sql inections. I have been watching http://www.youtube.c...h?v=bORZlmyDw0s

And noticed they just use one function to stop sql would this work ?? The function they use is:

function mres($input){
if (get_magic_quotes_gpc()){
$input = stripslashes($input);
}
return mysql_real_escape_string($input);
}




And then here it is in my login script:


function mres($input){
if (get_magic_quotes_gpc()){
$input = stripslashes($input);
}
return mysql_real_escape_string($input);
}



if(isset($_POST['login']))
{	
ini_set('session.cookie_httponly',true);
if(isset($_SESSION['last_ip']) == false){
	$_SESSION['last_ip'] = $_SERVER['REMOTE_ADDR'];
	}
	
	if ($_SESSION['last_ip'] !== $_SERVER['REMOTE_ADDR']){
	
	session_unset();
	session_destroy();
	
	}
$user= mres($_POST['username']);
$pass= mysql_real_escape_string($_POST['password']);
$pass2 = strip_tags($pass);
$pass1 = md5($pass2);

$mod = 1 ;

$sql = "SELECT * FROM users WHERE username='".$user."' AND password = '".$pass1."'";
$result = mysql_query($sql) or die(mysql_error());
$battle_get = mysql_fetch_array($result);

if ( $battle_get['mod'] == 1 ) {
				$month = time() + 3600*24*30;
				$hour = time() + 3600*1*1;
				$LastLogin = date('l, M d, Y H:i:s');
				$_SESSION['user'] = $_POST['username'];
				setcookie("save_user", stripslashes(htmlentities($user22)), $hour); 
				setcookie("save_pass", stripslashes(htmlentities($user22)), $month);
				$username = stripslashes(htmlentities($user22));
				$result = mysql_query("UPDATE users SET LastLogin = '$LastLogin' WHERE username='$username'");
				header("location: home.php"); 
}
	
}




Has you can see from my login script i check the ip on every page so that if some one logs in has bob with the ip has 1.2.3 then try's to edit the session and edits the username then it will log the person out and destory the session ( this works great )



But id just like to know does the function make em safe from sql injection ?

You can see ive used the function for the username because the password is md5

$user= mres($_POST['username']);


Also can some 1 explain what the function does ? And wouldn't i have to change $input to every virable i have ?

This post has been edited by rpgmaker: 25 May 2012 - 02:00 PM


Is This A Good Question/Topic? 0
  • +

Replies To: Sql Injection

#2 CTphpnwb  Icon User is online

  • D.I.C Lover
  • member icon

Reputation: 2990
  • Posts: 10,329
  • Joined: 08-August 08

Re: Sql Injection

Posted 25 May 2012 - 02:09 PM

Learn to use prepared statements and you can forget about SQL injection.
Was This Post Helpful? 2
  • +
  • -

#3 rpgmaker  Icon User is offline

  • D.I.C Head

Reputation: 2
  • View blog
  • Posts: 224
  • Joined: 02-October 11

Re: Sql Injection

Posted 25 May 2012 - 02:16 PM

So im guessing the function won't protect me ? Im guessing this is what you mean http://php.net/manua...-statements.php ?? I think i can get the hang of that doesn't look that bad. So im guessing if i use prepared statements then ill be safe ? Will i have to escape any of my variables or anything still ?
Was This Post Helpful? 0
  • +
  • -

#4 Slice  Icon User is offline

  • sudo pacman -S moneyz


Reputation: 244
  • View blog
  • Posts: 716
  • Joined: 24-November 08

Re: Sql Injection

Posted 25 May 2012 - 03:01 PM

View Postrpgmaker, on 25 May 2012 - 03:16 PM, said:

Will i have to escape any of my variables or anything still ?


No, that's the beauty of prepared statements. Just make sure you use placeholders in queries and don't try to insert raw data.

Check out this great post for an introduction to PDO, in the tutorials section.
Was This Post Helpful? 2
  • +
  • -

#5 e_i_pi  Icon User is offline

  • = -1
  • member icon

Reputation: 795
  • View blog
  • Posts: 1,681
  • Joined: 30-January 09

Re: Sql Injection

Posted 25 May 2012 - 03:11 PM

Also, check out Dormilichs Be Prepared For Your Database Tutorial. Reading both tutorials will greatly help you understand how to use PDOs.
Was This Post Helpful? 2
  • +
  • -

#6 rpgmaker  Icon User is offline

  • D.I.C Head

Reputation: 2
  • View blog
  • Posts: 224
  • Joined: 02-October 11

Re: Sql Injection

Posted 25 May 2012 - 03:24 PM

Thanks evryone i found a good connect tutorial here Here Which Dormilich has mentioned in the first tutorial link which was given. That tutorial seems easier to understand. I think ill spend the next few days trying to under stand the placeholders in queries and hope that know one can sql inject it. Im guessing this would be safe from sql inections

$statement = $db->prepare("SELECT recipe_name FROM recipes WHERE fish_type = ? AND chef_name = ? LIMIT 20");
$statement->execute(array($_POST['fish'], $_POST['chef']));

while ($result = $statement->fetchObject()) {
    echo $result->recipe_name;
    echo "<br />";
}


And the connect
// Fill in all the info we need to connect to the database.
// This is the same info you need even if you're using the old mysql_ library.
$host = 'localhost';
$port = 3306; // This is the default port for MySQL
$database = 'myDatabase';
$username = 'myDatabaseUser';
$password = 'myDatabaseUserPassword';

// Construct the DSN, or "Data Source Name".  Really, it's just a fancy name
// for a string that says what type of server we're connecting to, and how
// to connect to it.  As long as the above is filled out, this line is all
// you need :)/>
$dsn = "mysql:host=$host;port=$port;dbname=$database";

// Connect!
$db = new PDO($dsn, $username, $password);




This code was given in the tutorial. Just wanted to know if its safe from sql injection so i can base all my coding on it. E.g every time i want to connect use the same code etc...
Was This Post Helpful? 0
  • +
  • -

#7 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 3541
  • View blog
  • Posts: 10,236
  • Joined: 08-June 10

Re: Sql Injection

Posted 25 May 2012 - 03:29 PM

as has been repeatedly said, Prepared Statements are immune to SQL Injections
Was This Post Helpful? 1
  • +
  • -

#8 rpgmaker  Icon User is offline

  • D.I.C Head

Reputation: 2
  • View blog
  • Posts: 224
  • Joined: 02-October 11

Re: Sql Injection

Posted 25 May 2012 - 03:31 PM

Thanks just wanted to confirm it. Thanks to everyone here.
Was This Post Helpful? 0
  • +
  • -

#9 noname_clark  Icon User is offline

  • D.I.C Head

Reputation: 4
  • View blog
  • Posts: 75
  • Joined: 22-October 08

Re: Sql Injection

Posted 25 May 2012 - 04:00 PM

View PostDormilich, on 25 May 2012 - 04:29 PM, said:

as has been repeatedly said, Prepared Statements are immune to SQL Injections


Wait, with PHP 5 though, you don't need to prepare them anymore, all data sent through forms POST'ing already has the characters escaped out, right? Or am I wrong on that?
Because I remember when my server switched from PHP 4 to 5 I didn't have to worry about escaping quotes out (on at least the forms that only I used)
Is preparing form data really still necessary?
Was This Post Helpful? 0
  • +
  • -

#10 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 3541
  • View blog
  • Posts: 10,236
  • Joined: 08-June 10

Re: Sql Injection

Posted 25 May 2012 - 04:43 PM

the one has nothing to do with the other. what you observed was done through magic_quotes_gpc, which is IIRC removed in PHP 5.4. however escaping is not a guarantee for SQL safety as there are a lot of injections techniques not using ' at all.

and yes, peparing is the only absolutely safe method there is.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1